Skip to content

T1074.001 Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.1

Item Value
ID T1074.001
Sub-techniques T1074.001, T1074.002
Tactics TA0009
Platforms Linux, Windows, macOS
Version 1.1
Created 13 March 2020
Last Modified 21 April 2022

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.26
S0622 AppleSeed AppleSeed can stage files in a central location prior to exfiltration.35
G0007 APT28 APT28 has stored captured credential information in a file named pi.log.92
G0022 APT3 APT3 has been known to stage files for exfiltration in a single location.90
G0087 APT39 APT39 has utilized tools to aggregate data prior to exfiltration.77
S0373 Astaroth Astaroth collects data in a plaintext file named r1.log before exfiltration. 73
S0438 Attor Attor has staged collected data in a central upload directory prior to exfiltration.57
S1029 AuTo Stealer AuTo Stealer can store collected data from an infected host to a file named Hostname_UserName.txt prior to exfiltration.38
G0135 BackdoorDiplomacy BackdoorDiplomacy has copied files of interest to the main drive’s recycle bin.18
S0128 BADNEWS BADNEWS copies documents under 15MB found on the victim system to is the user’s %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.1920
S0337 BadPatch BadPatch stores collected data in log files before exfiltration.62
S0651 BoxCaon BoxCaon has created a working folder for collected files that it sends to the C2 server.69
C0015 C0015 During C0015, PowerView’s file share enumeration results were stored in the file c:\ProgramData\found_shares.txt.98
C0017 C0017 During C0017, APT41 copied the local SAM and SYSTEM Registry hives to a staging directory.96
S0274 Calisto Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.6465
S0335 Carbon Carbon creates a base directory that contains the files and folders that are collected.5
S0261 Catchamas Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.3
S1043 ccf32 ccf32 can temporarily store files in a hidden directory on the local host.13
G0114 Chimera Chimera has staged stolen data locally on compromised hosts.76
S0667 Chrommme Chrommme can store captured system information locally prior to exfiltration.37
S0538 Crutch Crutch has staged stolen files in the C:\AMD\Temp directory.6
S0673 DarkWatchman DarkWatchman can stage local data in the Windows Registry.1
G0035 Dragonfly Dragonfly has created a directory named “out” in the user’s %AppData% folder and copied files to it.84
S0567 Dtrack Dtrack can save collected data to disk, different file formats, and network shares.2829
S0038 Duqu Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.2
S0062 DustySky DustySky created folders in temp directories to host collected files before exfiltration.51
S0024 Dyre Dyre has the ability to create files in a TEMP folder to act as a database to store information.34
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.53
S0081 Elise Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.23
S0343 Exaramel for Windows Exaramel for Windows specifies a path to store files scheduled for exfiltration.40
G0053 FIN5 FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.89
S0036 FLASHFLOOD FLASHFLOOD stages data it copies from the local system or removable drives in the “%WINDIR%\$NtUninstallKB885884$" directory.46
S0503 FrameworkPOS FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.10
S1044 FunnyDream FunnyDream can stage collected information including screen captures and logged keystrokes locally.13
G0093 GALLIUM GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.91
S0249 Gold Dragon Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.54
S0170 Helminth Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.16
G0119 Indrik Spider Indrik Spider has stored collected date in a .tmp file.83
S0260 InvisiMole InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.4243
S0265 Kazuar Kazuar stages command output and collected data in files before exfiltration.58
S0526 KGH_SPY KGH_SPY can save collected system information to a file named “info” before exfiltration.32
G0094 Kimsuky Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.8788
G0032 Lazarus Group Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.9594
G0065 Leviathan Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.8586
S0395 LightNeuron LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.55
S0409 Machete Machete stores files and logs in a folder on the local drive.1112
S1016 MacMa MacMa has stored collected files locally before exfiltration.17
S1060 Mafalda Mafalda can place retrieved files into a destination directory.15
S0652 MarkiRAT MarkiRAT can store collected data locally in a created .nfo file.68
G0045 menuPass menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.82
S0443 MESSAGETAP MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.24
S1059 metaMain metaMain has stored the collected system files in a working directory.1566
S1015 Milan Milan has saved files prior to upload from a compromised host to folders beginning with the characters a9850d2f.59
S0084 Mis-Type Mis-Type has temporarily stored collected information to the files “%AppData%\{Unique Identifier}\HOSTRURKLSR” and “%AppData%\{Unique Identifier}\NEWERSSEMP”.56
S0149 MoonWind MoonWind saves information from its keylogging routine as a .zip file in the present working directory.7
G0069 MuddyWater MuddyWater has stored a decoy PDF file within a victim’s %temp% folder.80
G0129 Mustang Panda Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.7475
S0247 NavRAT NavRAT writes multiple outputs to a TMP file using the >> method.49
S0198 NETWIRE NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.14
S0353 NOKKI NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.72
S0644 ObliqueRAT ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.48
S0340 Octopus Octopus has stored collected information in the Application Data directory on a compromised host.2122
S0264 OopsIE OopsIE stages the output from command execution and collected files in specific folders before exfiltration.27
C0006 Operation Honeybee During Operation Honeybee, stolen data was copied into a text file using the format From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt prior to compression, encoding, and exfiltration.97
C0014 Operation Wocao During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.99
G0040 Patchwork Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.20
S0012 PoisonIvy PoisonIvy stages collected data in a text file.50
S1012 PowerLess PowerLess can stage stolen browser data in C:\\Windows\\Temp\\cup.tmp and keylogger data in C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK.63
S0113 Prikormka Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.39
S0147 Pteranodon Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.60
S0196 PUNCHBUGGY PUNCHBUGGY has saved information to a random temp file before exfil.61
S0197 PUNCHTRACK PUNCHTRACK aggregates collected data in a tmp file.67
S0650 QakBot QakBot has stored stolen emails and other data into new folders prior to exfiltration.52
S0629 RainyDay RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.36
S0458 Ramsay Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.7071
S0169 RawPOS Data captured by RawPOS is placed in a temporary file under a directory named “memdump”.44
S0090 Rover Rover copies files from removable drives to C:\system.45
G0121 Sidewinder Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.79
S0615 SombRAT SombRAT can store harvested data in a custom database under the %TEMP% directory.4
S0035 SPACESHIP SPACESHIP identifies files with certain extensions and copies them to a directory in the user’s profile.46
S1037 STARWHALE STARWHALE has stored collected data in a file called stari.txt.33
S1042 SUGARDUMP SUGARDUMP has stored collected data under %<malware_execution_folder>%\\CrashLog.txt.25
G0139 TeamTNT TeamTNT has aggregated collected credentials in text files before exfiltrating.93
G0088 TEMP.Veles TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.81
G0027 Threat Group-3390 Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.78
S0094 Trojan.Karagany Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.89
S0647 Turian Turian can store copied files in a specific directory prior to exfiltration.18
S0386 Ursnif Ursnif has used tmp files to stage gathered information.47
S0136 USBStealer USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.3031
S0251 Zebrocy Zebrocy stores all collected information in a single file before exfiltration.41

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0024 Windows Registry Windows Registry Key Modification

References

  1. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  2. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  3. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. 

  4. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  5. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. 

  6. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  7. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  8. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  9. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  10. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  11. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  12. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  13. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  14. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  15. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  16. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  17. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. 

  18. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  19. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  20. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  21. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  22. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  23. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. 

  24. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  25. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  26. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  27. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  28. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  29. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  30. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  31. Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. 

  32. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  33. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. 

  34. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  35. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  36. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  37. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  38. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  39. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  40. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  41. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  42. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  43. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  44. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. 

  45. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  46. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  47. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. 

  48. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  49. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  50. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  51. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  52. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  53. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  54. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  55. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  56. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  57. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  58. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  59. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  60. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  61. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  62. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  63. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. 

  64. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. 

  65. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  66. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  67. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  68. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  69. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  70. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  71. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  72. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 

  73. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  74. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  75. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  76. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  77. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  78. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  79. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  80. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. 

  81. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. 

  82. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  83. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  84. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  85. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  86. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  87. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  88. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  89. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. 

  90. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  91. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  92. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  93. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. 

  94. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  95. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  96. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  97. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  98. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.