Skip to content

T1082 System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version).6 System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.54

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.123

Item Value
ID T1082
Tactics TA0007
Platforms IaaS, Linux, Network, Windows, macOS
Version 2.5
Created 31 May 2017
Last Modified 30 March 2023

Procedure Examples

ID Name Description
S0065 4H RAT 4H RAT sends an OS version identifier in its beacons.280
S1028 Action RAT Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.93
G0018 admin@338 admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download35
S0045 ADVSTORESHELL ADVSTORESHELL can run Systeminfo to gather information about the victim.7071
S0331 Agent Tesla Agent Tesla can collect the system’s computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.373839
S1025 Amadey Amadey has collected the computer name and OS version from a compromised machine.5758
S0504 Anchor Anchor can determine the hostname and linux version on a compromised host.297
S0584 AppleJeus AppleJeus has collected the victim host information after infection.160
S0622 AppleSeed AppleSeed can identify the OS version of a targeted system.198
G0026 APT18 APT18 can collect system information from the victim’s machine.387
G0073 APT19 APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.410411
G0022 APT3 APT3 has a tool that can obtain information about the local system.260376
G0050 APT32 APT32 has collected the OS version and computer name from victims. One of the group’s backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.356357358359
G0067 APT37 APT37 collects the computer name, the BIOS model, and execution path.355
G0082 APT38 APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.368
G0143 Aquatic Panda Aquatic Panda has used native OS commands to understand privilege levels and system details.412
S0456 Aria-body Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.132
S0373 Astaroth Astaroth collects the machine name and keyboard language from the system. 212213
S0438 Attor Attor monitors the free disk space on the system.269
S1029 AuTo Stealer AuTo Stealer has the ability to collect the hostname and OS information from an infected host.93
S0473 Avenger Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.27
S0344 Azorult Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.330331
S0638 Babuk Babuk can enumerate disk volumes, get disk information, and query service status.87
S0414 BabyShark BabyShark has executed the ver command.230
S0475 BackConfig BackConfig has the ability to gather the victim’s computer name.120
S0093 Backdoor.Oldrea Backdoor.Oldrea collects information about the OS and computer name.231232
S0031 BACKSPACE During its initial execution, BACKSPACE extracts operating system information from the infected host.49
S0245 BADCALL BADCALL collects the computer name and host name on the compromised system.341
S0642 BADFLICK BADFLICK has captured victim computer name, memory space, and CPU details.311
S0337 BadPatch BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.310
S0234 Bandook Bandook can collect information about the drives available on the system.53
S0239 Bankshot Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.179180
S0534 Bazar Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.342343
S0017 BISCUIT BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.40
S0268 Bisonal Bisonal has used commands and API calls to gather system information.333335334
S1070 Black Basta Black Basta can enumerate volumes and collect system boot configuration and CPU information.302301
S1068 BlackCat BlackCat can obtain the computer name and UUID, and enumerate local drives.168
S0089 BlackEnergy BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.195196
S0564 BlackMould BlackMould can enumerate local drives on a compromised host.340
S0520 BLINDINGCAN BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.239
G0108 Blue Mockingbird Blue Mockingbird has collected hardware details for the victim’s system, including CPU and memory information.373
S0657 BLUELIGHT BLUELIGHT has collected the computer name and OS version from victim machines.304
S0486 Bonadan Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.68
S0635 BoomBox BoomBox can enumerate the hostname, domain, and IP of a compromised host.28
S0252 Brave Prince Brave Prince collects hard drive content and system configuration information.56
S0043 BUBBLEWRAP BUBBLEWRAP collects system information, including the operating system version and hostname.35
S0471 build_downer build_downer has the ability to send system volume information to C2.27
S1039 Bumblebee Bumblebee can enumerate the OS version and domain on a targeted system.969594
S0482 Bundlore Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.1424
C0017 C0017 During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.16
S0693 CaddyWiper CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.7374
S0454 Cadelspy Cadelspy has the ability to discover information about the compromised host.271
S0351 Cannon Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.245246
S0484 Carberp Carberp has collected the operating system version from the infected system.98
S0348 Cardinal RAT Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.218
S0462 CARROTBAT CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.7959
S0572 Caterpillar WebShell Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.141
S0631 Chaes Chaes has collected system information, including the machine name and OS version.26
S0674 CharmPower CharmPower can enumerate the OS version and computer name on a targeted system.91
S0144 ChChes ChChes collects the victim hostname, window resolution, and Microsoft Windows version.274144
G0114 Chimera Chimera has used fsutil fsinfo drives, systeminfo, and vssadmin list shadows for system information including shadow volumes and drive information.378
S0667 Chrommme Chrommme has the ability to list drives and obtain the computer name of a compromised host.252
S0660 Clambling Clambling can discover the hostname, computer name, and Windows version of a targeted machine.4142
S0106 cmd cmd can be used to find information about the operating system.10
S0244 Comnie Comnie collects the hostname of the victim machine.332
G0142 Confucius Confucius has used a file stealer that can examine system drives, including those other than the C drive.377
S0137 CORESHELL CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.186
S0046 CozyCar A system info module in CozyCar gathers information on the victim host’s configuration.183
S0488 CrackMapExec CrackMapExec can enumerate the system drives and associated system name.8
S0115 Crimson Crimson contains a command to collect the victim PC name, disk drive information, and operating system.126125127
S0625 Cuba Cuba can enumerate local drives, disk type, and disk free space.323
S0687 Cyclops Blink Cyclops Blink has the ability to query device information.291
S0334 DarkComet DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.219220
G0012 Darkhotel Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.388389
S1066 DarkTortilla DarkTortilla can obtain system information by querying the Win32_ComputerSystem, Win32_BIOS, Win32_MotherboardDevice, Win32_PnPEntity, and Win32_DiskDrive WMI objects.50
S0673 DarkWatchman DarkWatchman can collect the OS version, system architecture, uptime, and computer name.324
S1052 DEADEYE DEADEYE can enumerate a victim computer’s volume serial number and host name.16
S0616 DEATHRANSOM DEATHRANSOM can enumerate logical drives on a target system.83
S0354 Denis Denis collects OS information and the computer name from the victim’s machine.204205
S0021 Derusbi Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.197
S0659 Diavol Diavol can collect the computer name and OS version from the system.170
S0472 down_new down_new has the ability to identify the system volume information of a compromised host.27
S0186 DownPaper DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.319
S0384 Dridex Dridex has collected the computer name and OS architecture information from the system.201
S0547 DropBook DropBook has checked for the presence of Arabic language in the infected machine’s settings.171
S0105 dsquery dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.16
S0567 Dtrack Dtrack can collect the victim’s computer name, hostname and adapter information to create a unique identifier.285286
S0062 DustySky DustySky extracts basic information about the operating system.123
S0024 Dyre Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.131
S0554 Egregor Egregor can perform a language check of the infected system and can query the CPU information (cupid).174175
S0081 Elise Elise executes systeminfo after initial communication is made to the remote server.272
S0082 Emissary Emissary has the capability to execute ver and systeminfo commands.55
S0363 Empire Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.1413
S0634 EnvyScout EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.28
S0091 Epic Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.336
S0568 EVILNUM EVILNUM can obtain the computer name from the victim’s system.88
S0569 Explosive Explosive has collected the computer name from the infected host.161
S0181 FALLCHILL FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.251
S0512 FatDuke FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.133
S0171 Felismus Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.345
S0267 FELIXROOT FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.188189
S0679 Ferocious Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.51
S0355 Final1stspy Final1stspy obtains victim Microsoft Windows version information and CPU architecture.298
S0182 FinFisher FinFisher checks if the victim OS is 32 or 64-bit.261262
S0381 FlawedAmmyy FlawedAmmyy can collect the victim’s operating system and computer name during the initial infection.64
C0001 Frankenstein During Frankenstein, the threat actors used Empire to obtain the compromised machine’s name.13
S1044 FunnyDream FunnyDream can enumerate all logical drives on a targeted machine.290
C0007 FunnyDream During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.290
S0410 Fysbis Fysbis has used the command ls /etc
G0047 Gamaredon Group A Gamaredon Group file stealer can gather the victim’s computer name and drive serial numbers to send to a C2 server.360361362
S0666 Gelsemium Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.252
S0460 Get2 Get2 has the ability to identify the computer name and Windows version of an infected host.137
S0032 gh0st RAT gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.303
S0249 Gold Dragon Gold Dragon collects endpoint information using the systeminfo command.56
S0493 GoldenSpy GoldenSpy has gathered operating system information.300
S0531 Grandoreiro Grandoreiro can collect the computer name and OS version from a compromised host.65
S0237 GravityRAT GravityRAT collects the MAC address, computer name, and CPU information.145
S0690 Green Lambert Green Lambert can use uname to identify the operating system name, version, and processor type.337338
S0417 GRIFFON GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim’s computer, including the resolution of the workstation .30
S0632 GrimAgent GrimAgent can collect the OS, and build version on a compromised host.67
S0151 HALFBAKED HALFBAKED can obtain information about the OS, processor, and BIOS.210
S0214 HAPPYWORK can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.24
S0391 HAWKBALL HAWKBALL can collect the OS version, architecture information, and computer name.48
S0617 HELLOKITTY HELLOKITTY can enumerate logical drives on a target system.83
S0697 HermeticWiper HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.109110108107
G1001 HEXANE HEXANE has collected the hostname of a compromised machine.136
S1027 Heyoka Backdoor Heyoka Backdoor can enumerate drives on a compromised host.181
G0126 Higaisa Higaisa collected the system volume serial number, GUID, and computer name.371372
S0601 Hildegard Hildegard has collected the host’s OS, CPU, and memory information.347
S0376 HOPLIGHT HOPLIGHT has been observed collecting victim machine information like OS version, volume information, and more.264
S0431 HotCroissant HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.192
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.273
S1022 IceApple The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.265
S0483 IcedID IcedID has the ability to identify the computer name and OS version on a compromised host.148
G0100 Inception Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.399
S0604 Industroyer Industroyer collects the victim machine’s Windows GUID.321
S0259 InnaputRAT InnaputRAT gathers volume drive information and system information.326
S0260 InvisiMole InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.327328
S0015 Ixeshe Ixeshe collects the computer name of the victim’s system during the initial infection.185
S0044 JHUHUGIT JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.258259
S0201 JPIN JPIN can obtain system information such as OS version and disk space.128
S0283 jRAT jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.229
S0215 KARAE KARAE can collect system information.24
S0088 Kasidet Kasidet has the ability to obtain a victim’s system name and operating system version.247
S0265 Kazuar Kazuar gathers information on the system and local drives.169
G0004 Ke3chang Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.374375241
S0585 Kerrdown Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.320
S0487 Kessel Kessel has collected the system architecture, OS version, and MAC address information.68
S1020 Kevin Kevin can enumerate the OS version and hostname of a targeted machine.136
S0387 KeyBoy KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.165164
S0271 KEYMARBLE KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.182
S0526 KGH_SPY KGH_SPY can collect drive information from a compromised host.217
S0607 KillDisk KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.244
G0094 Kimsuky Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the “systeminfo” command.381380
S0250 Koadic Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.18
S0641 Kobalos Kobalos can record the hostname and kernel version of the target machine.243
S0669 KOCTOPUS KOCTOPUS has checked the OS version using wmic.exe and the find command.18
S0156 KOMPROGO KOMPROGO is capable of retrieving information about the infected system.29
S0356 KONNI KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.255256257
S0236 Kwampirs Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.194
G0032 Lazarus Group Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.403401402405284404
S0395 LightNeuron LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.202
S0211 Linfo Linfo creates a backdoor through which remote attackers can retrieve system information.193
S0513 LiteDuke LiteDuke can enumerate the CPUID and BIOS version on a compromised system.133
S0680 LitePower LitePower has the ability to list local drives and enumerate the OS architecture.51
S0681 Lizar Lizar can collect the computer name from the machine,.313
S0447 Lokibot Lokibot has the ability to discover the computer name and Windows product name/version.325
S0451 LoudMiner LoudMiner has monitored CPU usage.305
S0532 Lucifer Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.275
S0409 Machete Machete collects the hostname of the target computer.99
S1016 MacMa MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.240
S1048 macOS.OSAMiner macOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility df.62
S1060 Mafalda Mafalda can collect the computer name and enumerate all drives on a compromised host.8990
G0059 Magic Hound Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.365364363
S0652 MarkiRAT MarkiRAT can obtain the computer name from a compromised host.306
S0449 Maze Maze has checked the language of the infected system using the “GetUSerDefaultUILanguage” function.34
S1059 metaMain metaMain can collect the computer name from a compromised host.90
S0455 Metamorfo Metamorfo has collected the hostname and operating system version from the compromised host.214215216
S0688 Meteor Meteor has the ability to discover the hostname of a compromised host.184
S0339 Micropsia Micropsia gathers the hostname and OS version from the victim’s machine.235236
S1015 Milan Milan can enumerate the targeted machine’s name and GUID.119118
S0051 MiniDuke MiniDuke can gather the hostname on a compromised machine.133
S0280 MirageFox MirageFox can collect CPU and architecture information from the victim’s machine.299
S0084 Mis-Type The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.23
S0083 Misdat The initial beacon packet for Misdat contains the operating system version of the victim.23
S0079 MobileOrder MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.293
S0553 MoleNet MoleNet can collect information about the about the system.171
S1026 Mongall Mongall can identify drives on compromised hosts and retrieve the hostname via gethostbyname.181
S0149 MoonWind MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.315
S0284 More_eggs More_eggs has the capability to gather the OS version and computer name.116117
G1009 Moses Staff Moses Staff collected information about the infected host, including the machine names and OS architecture.369
G0069 MuddyWater MuddyWater has used malware that can collect the victim’s OS version and machine name.395394398397396
S0233 MURKYTOP MURKYTOP has the capability to retrieve information about the OS.60
G0129 Mustang Panda Mustang Panda has gathered system information using systeminfo.386
S0205 Naid Naid collects a unique identifier (UID) from a compromised host.80
S0228 NanHaiShu NanHaiShu can gather the victim computer name and serial number.33
S0247 NavRAT NavRAT uses systeminfo on a victim’s machine.81
S0272 NDiskMonitor NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.203
S0630 Nebulae Nebulae can discover logical drive information including the drive type, free space, and volume information.43
S0691 Neoichor Neoichor can collect the OS version and computer name from a compromised host.241
S0457 Netwalker Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.177
S0198 NETWIRE NETWIRE can discover and collect victim system information.84
S0385 njRAT njRAT enumerates the victim operating system and computer name during the initial infection.307
S0353 NOKKI NOKKI can gather information on drives and the operating system on the victim’s machine.150
S0644 ObliqueRAT ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.159
S0346 OceanSalt OceanSalt can collect the computer name from the system.228
S0340 Octopus Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.36
G0049 OilRig OilRig has run hostname and systeminfo on a victim.391392393151
S0439 Okrum Okrum can collect computer name, locale information, and information about the OS and architecture.289
S0264 OopsIE OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.45
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors used the systeminfo command to gather details about a compromised system.416
C0006 Operation Honeybee During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using cmd /c systeminfo > %temp%\ temp.ini.413
C0014 Operation Wocao During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.415
S0229 Orz Orz can gather the victim OS version and whether it is 64 or 32 bit.33
S0165 OSInfo OSInfo discovers information about the infected machine.260
S0402 OSX/Shlayer OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.172173
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.2872884
S0208 Pasam Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.209
G0040 Patchwork Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim’s machine.370203
S0556 Pay2Key Pay2Key has the ability to gather the hostname of the victim machine.97
S0587 Penquin Penquin can report the file system type and disk space of a compromised host to C2.86
S0048 PinchDuke PinchDuke gathers system configuration information.115
S1031 PingPull PingPull can retrieve the hostname of a compromised host.237
S0501 PipeMon PipeMon can collect and send OS version and computer name as a part of its C2 beacon.54
S0124 Pisloader Pisloader has a command to collect victim system information, including the system name and OS version.318
S0254 PLAINTEE PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.250
S0428 PoetRAT PoetRAT has the ability to gather information about the compromised host.309
S0453 Pony Pony has collected the Service Pack, language, and region information to send to the C2.317
S0216 POORAIM POORAIM can identify system information, including battery status.24
S0378 PoshC2 PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.15
S0139 PowerDuke PowerDuke has commands to get information about the victim’s name, build, version, serial number, and memory usage.139
S0441 PowerShower PowerShower has collected system information on the infected host.167
S0223 POWERSTATS POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.153154
S0184 POWRUNER POWRUNER may collect information about the system by running hostname and systeminfo on a victim.52
S0113 Prikormka A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.270
S0238 Proxysvc Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.284
S0196 PUNCHBUGGY PUNCHBUGGY can gather system information such as computer names.266
S0192 Pupy Pupy can grab a system’s information including the OS version, architecture, etc.9
S0650 QakBot QakBot can collect system information including the OS version and domain on a compromised host.206207208
S0262 QuasarRAT QuasarRAT can gather system information from the victim’s machine including the OS type.12
S0458 Ramsay Ramsay can detect system information–including disk names, total space, and remaining space–to create a hardware profile GUID which acts as a system identifier for operators.4647
S0241 RATANKBA RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.294295
S0662 RCSession RCSession can gather system information from a compromised host.316
S0172 Reaver Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.158
S0153 RedLeaves RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.144143
S0125 Remsec Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.156
S0379 Revenge RAT Revenge RAT collects the CPU information, OS information, and system language.135
S0496 REvil REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.221222223224224225226227
S0433 Rifdoor Rifdoor has the ability to identify the Windows version on the compromised host.296
S0448 Rising Sun Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.346
G0106 Rocke Rocke has used uname -m to collect the name and information about the infected system’s kernel.382
S0270 RogueRobin RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.61
S0240 ROKRAT ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.101102103104105106
S1073 Royal Royal can use GetNativeSystemInfo and GetLogicalDrives to enumerate system processors and logical drives.281282
S0148 RTM RTM can obtain the computer name, OS version, and default language identifier.314
S0253 RunningRAT RunningRAT gathers the OS version, logical drives information, processor information, and volume information.56
S0446 Ryuk Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.242
S0085 S-Type The initial beacon packet for S-Type contains the operating system version and file system of the victim.23
S1018 Saint Bot Saint Bot can identify the OS version, CPU, and other details from a victim’s machine.138
G0034 Sandworm Team Sandworm Team used a backdoor to enumerate information about the infected system’s operating system.384385
S0461 SDBbot SDBbot has the ability to identify the OS version, OS bit information and computer name.13757
S0382 ServHelper ServHelper will attempt to enumerate Windows version and system architecture.176
S0596 ShadowPad ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.44
S0140 Shamoon Shamoon obtains the victim’s operating system version and keyboard layout and sends the information to the C2 server.2021
S1019 Shark Shark can collect the GUID of a targeted machine.119118
S0546 SharpStage SharpStage has checked the system settings to see if Arabic is the configured language.92
S0450 SHARPSTATS SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.154
S0445 ShimRatReporter ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.17
S0217 SHUTTERSPEED SHUTTERSPEED can collect system information.24
G1008 SideCopy SideCopy has identified the OS version of a compromised host.93
S0610 SideTwist SideTwist can collect the computer name of a targeted system.151
G0121 Sidewinder Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.353354
S0692 SILENTTRINITY SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.11
S0468 Skidmap Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.191
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.152
S0218 SLOWDRIFT SLOWDRIFT collects and sends system information to its C2.24
S0649 SMOKEDHAM SMOKEDHAM has used the systeminfo command on a compromised host.100
S0627 SodaMaster SodaMaster can enumerate the host name and OS version on a target system.322
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used fsutil to check available free space before executing actions that might create large files on disk.414
S0615 SombRAT SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.121
S0516 SoreFang SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.263
S0157 SOUNDBITE SOUNDBITE is capable of gathering system information.29
G0054 Sowbug Sowbug obtained OS version and hardware configuration from a victim.390
S0543 Spark Spark can collect the hostname, keyboard layout, and language from the system.22
S0374 SpeakUp SpeakUp uses the cat /proc/cpuinfo
S0646 SpicyOmelette SpicyOmelette can identify the system name of a compromised host.283
S1030 Squirrelwaffle Squirrelwaffle has gathered victim computer information and configurations.308
S0058 SslMM SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.248
S1037 STARWHALE STARWHALE can gather the computer name of an infected host.163162
G0038 Stealth Falcon Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.400
S0380 StoneDrill StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.78
S0142 StreamEx StreamEx has the ability to enumerate system information.211
S1034 StrifeWater StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.69
S0491 StrongPity StrongPity can identify the hard disk volume serial number on a compromised host.66
S0603 Stuxnet Stuxnet collects system information including computer and domain names, OS version, and S7P paths.178
S0559 SUNBURST SUNBURST collected hostname, OS version, and device uptime.253254
S1064 SVCReady SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of systeminfo.exe.25
S0242 SynAck SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.147
S0060 Sys10 Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.248
S0464 SYSCON SYSCON has the ability to use Systeminfo to identify system information.59
S0096 Systeminfo Systeminfo can be used to gather information about the operating system.7
S0663 SysUpdate SysUpdate can collect a system’s architecture, operating system version, hostname, and drive information.200199
S0098 T9000 T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.31
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can use DriveList to retrieve drive information.146
S0467 TajMahal TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.234
G0139 TeamTNT TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.407408
S0665 ThreatNeedle ThreatNeedle can collect system profile information from a compromised host.249
S0678 Torisma Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.19
S0266 TrickBot TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.276277278279
S0094 Trojan.Karagany Trojan.Karagany can capture information regarding the victim’s OS, security, and hardware configuration.77
G0081 Tropic Trooper Tropic Trooper has detected a target system’s OS version and system volume information.72409
S0647 Turian Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.238
G0010 Turla Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.366367
S0199 TURNEDUP TURNEDUP is capable of gathering system information.140
S0263 TYPEFRAME TYPEFRAME can gather the disk volume information.233
S0130 Unknown Logger Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.134
S0275 UPPERCUT UPPERCUT has the capability to gather the system’s hostname and OS version.155
S0386 Ursnif Ursnif has used Systeminfo to gather system information.190
S0476 Valak Valak can determine the Windows version and computer name on a compromised host.130129
S0257 VERMIN VERMIN collects the OS name, machine name, and architecture information.329
S0180 Volgmer Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim’s machine.113112114
S0670 WarzoneRAT WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.82
S0514 WellMess WellMess can identify the computer name of a compromised host.267268
S0689 WhisperGate WhisperGate has the ability to enumerate fixed logical drives on a targeted system.312
G0124 Windigo Windigo has used a script to detect which Linux distribution and version is currently installed on the system.68
S0155 WINDSHIELD WINDSHIELD can gather the victim computer name.29
G0112 Windshift Windshift has used malware to identify the computer name of a compromised host.406
S0219 WINERACK WINERACK can gather information about the host.24
S0176 Wingbird Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.166
S0059 WinMM WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.248
S0141 Winnti for Windows Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.122
G0102 Wizard Spider Wizard Spider has used “systeminfo” and similar commands to acquire detailed configuration information of a victim machine.383
S1065 Woody RAT Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, environment variables, and storage drives.32
S0161 XAgentOSX XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.157
S0658 XCSSET XCSSET identifies the macOS version and uses ioreg to determine serial number.187
S0388 YAHOYAH YAHOYAH checks for the system’s Windows OS version and hostname.72
S0248 yty yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.339
S0251 Zebrocy Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. 348245349246350351352
S0230 ZeroT ZeroT gathers the victim’s computer name, Windows version, and system language, and then sends it to its C2 server.111
S0330 Zeus Panda Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.7576
G0128 ZIRCONIUM ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.379
S0086 ZLib ZLib has the ability to enumerate system information.23
S0672 Zox Zox can enumerate attached drives.149
S0350 zwShell zwShell can obtain the victim PC name and OS version.63
S0412 ZxShell ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.292
S1013 ZxxZ ZxxZ has collected the host name and operating system product name from a compromised machine.124


ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution


  1. Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020. 

  2. Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020. 

  3. Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019. 

  4. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  5. Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021. 

  6. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. 

  7. Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016. 

  8. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  9. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  10. Microsoft. (n.d.). Dir. Retrieved April 18, 2016. 

  11. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  12. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  13. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  14. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  15. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. 

  16. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  17. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  18. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  19. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  20. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. 

  21. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  22. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  23. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  24. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. 

  25. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  26. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  27. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  28. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  29. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  30. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  31. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. 

  32. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  33. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  34. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  35. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  36. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  37. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. 

  38. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. 

  39. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. 

  40. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  41. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  42. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  43. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  44. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  45. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  46. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  47. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  48. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. 

  49. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  50. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  51. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  52. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  53. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  54. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  55. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. 

  56. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  57. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  58. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  59. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. 

  60. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  61. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  62. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. 

  63. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  64. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  65. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  66. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  67. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  68. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  69. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  70. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  71. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  72. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  73. Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022. 

  74. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022. 

  75. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  76. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  77. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  78. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  79. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. 

  80. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018. 

  81. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  82. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  83. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. 

  84. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. 

  85. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  86. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  87. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. 

  88. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  89. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  90. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  91. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  92. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  93. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. 

  94. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  95. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  96. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. 

  97. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. 

  98. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  99. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  100. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. 

  101. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018. 

  102. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. 

  103. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  104. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  105. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  106. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  107. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  108. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. 

  109. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  110. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  111. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  112. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. 

  113. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. 

  114. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  115. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  116. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  117. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  118. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  119. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  120. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  121. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  122. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. 

  123. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  124. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  125. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  126. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  127. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  128. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. 

  129. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  130. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  131. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  132. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  133. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  134. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  135. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  136. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  137. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  138. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  139. O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. 

  140. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  141. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  142. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  143. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  144. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  145. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  146. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. 

  147. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. 

  148. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  149. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  150. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  151. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  152. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  153. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  154. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  155. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  156. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  157. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  158. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  159. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  160. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  161. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  162. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. 

  163. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. 

  164. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  165. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. 

  166. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  167. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  168. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  169. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  170. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  171. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. 

  172. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. 

  173. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021. 

  174. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. 

  175. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  176. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  177. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  178. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  179. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  180. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  181. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  182. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  183. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  184. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  185. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  186. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  187. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. 

  188. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  189. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. 

  190. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  191. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020. 

  192. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. 

  193. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  194. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  195. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. 

  196. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. 

  197. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  198. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  199. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  200. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021. 

  201. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  202. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  203. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018. 

  204. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  205. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  206. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  207. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  208. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. 

  209. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  210. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. 

  211. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 


  213. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  214. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  215. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  216. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  217. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  218. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  219. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  220. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  221. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  222. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  223. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  224. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  225. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. 

  226. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  227. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. 

  228. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019. 

  229. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. 

  230. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 


  232. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  233. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  234. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. 

  235. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  236. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  237. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  238. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  239. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  240. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  241. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  242. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. 

  243. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021. 

  244. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  245. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  246. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  247. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  248. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  249. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  250. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  251. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  252. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  253. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  254. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  255. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. 

  256. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  257. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  258. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  259. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  260. FinFisher. (n.d.). Retrieved December 20, 2017. 

  261. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  262. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  263. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 


  265. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  266. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  267. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 


  269. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  270. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. 

  271. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  272. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  273. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  274. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  275. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. 

  276. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  277. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021. 

  278. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  279. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  280. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. 

  281. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  282. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  283. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  284. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  285. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  286. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. 

  287. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  288. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  289. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  290. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  291. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. 

  292. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. 

  293. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  294. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. 

  295. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  296. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. 

  297. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  298. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023. 

  299. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. 

  300. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  301. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  302. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  303. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  304. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  305. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  306. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  307. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  308. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  309. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  310. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  311. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  312. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  313. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  314. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  315. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. 

  316. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. 

  317. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  318. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. 

  319. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  320. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  321. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  322. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. 

  323. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  324. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  325. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  326. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  327. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  328. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. 

  329. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  330. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  331. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  332. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  333. Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. 

  334. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. 

  335. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. 

  336. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  337. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  338. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018. 

  339. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  340. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  341. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. 

  342. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. 

  343. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  344. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  345. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  346. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  347. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  348. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  349. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  350. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  351. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. 

  352. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  353. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. 

  354. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  355. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. 

  356. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020. 

  357. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  358. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  359. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  360. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  361. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  362. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  363. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  364. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  365. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  366. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  367. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. 

  368. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  369. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  370. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  371. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  372. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  373. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017. 

  374. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  375. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  376. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  377. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  378. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  379. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  380. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  381. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. 

  382. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  383. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  384. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  385. Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. 

  386. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. 

  387. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  388. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  389. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. 

  390. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  391. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. 

  392. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  393. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  394. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  395. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. 

  396. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020. 

  397. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  398. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. 

  399. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. 

  400. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  401. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  402. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  403. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

  404. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  405. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  406. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  407. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  408. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  409. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  410. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  411. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  412. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  413. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.