Skip to content

T1083 File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.1 Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).2

Some files and directories may require elevated or specific user permissions to access.

Item Value
ID T1083
Sub-techniques
Tactics TA0007
Platforms ESXi, Linux, Network Devices, Windows, macOS
Version 1.7
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0066 3PARA RAT 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.74
S0065 4H RAT 4H RAT has the capability to obtain file and directory listings.74
S1167 AcidPour AcidPour can identify specific files and directories within the Linux operating system corresponding with storage devices for follow-on wiping activity, similar to AcidRain.318
S1125 AcidRain AcidRain identifies specific files and directories in the Linux operating system associated with storage devices.319
S1028 Action RAT Action RAT has the ability to collect drive and file information on an infected machine.306
G0018 admin@338 admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir “c:\Documents and Settings” >> %temp%\download dir “c:\Program Files" >> %temp%\download dir d:\ >> %temp%\download377
S0045 ADVSTORESHELL ADVSTORESHELL can list files and directories.183184
S1129 Akira Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.3132
S1194 Akira _v2 Akira _v2 can target specific files and folders for encryption.27532276
S1025 Amadey Amadey has searched for folders associated with antivirus software.23
G1007 Aoqin Dragon Aoqin Dragon has run scripts to identify file formats including Microsoft Word.252
S0622 AppleSeed AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.267
G0026 APT18 APT18 can list files information for specific directories.412
G0007 APT28 APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.10370
G0022 APT3 APT3 has a tool that looks for files and directories on the local file system.393394
G0050 APT32 APT32’s backdoor possesses the capability to list files and directories on a machine. 395
G0082 APT38 APT38 have enumerated files and directories, or searched in specific locations within a compromised host.369
G0087 APT39 APT39 has used tools with the ability to search for files on a compromised host.398
G0096 APT41 APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.408
G1023 APT5 APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.413
S0456 Aria-body Aria-body has the ability to gather metadata from a file and to search for file and directory names.300
S0438 Attor Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.18
S0347 AuditCred AuditCred can search through folders and files on the system.68
S0129 AutoIt backdoor AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.103
S0640 Avaddon Avaddon has searched for specific files prior to encryption.106
S0473 Avenger Avenger has the ability to browse files in directories such as Program Files and the Desktop.81
S1053 AvosLocker AvosLocker has searched for files and directories on a compromised network.221222
S0344 Azorult Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.323
S0638 Babuk Babuk has the ability to enumerate files on a targeted system.351352
S0414 BabyShark BabyShark has used dir to search for “programfiles” and “appdata”.131
S0475 BackConfig BackConfig has the ability to identify folders and files related to previous infections.71
S0093 Backdoor.Oldrea Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.277
S0031 BACKSPACE BACKSPACE allows adversaries to search for files.120
S0642 BADFLICK BADFLICK has searched for files on the infected host.213
S0128 BADNEWS BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.273
S0337 BadPatch BadPatch searches for files with specific file extensions.124
S0234 Bandook Bandook has a command to list files on a system.201
S0239 Bankshot Bankshot searches for files on the victim’s machine.72
S0534 Bazar Bazar can enumerate the victim’s desktop.3536
S0127 BBSRAT BBSRAT can list file and directory information.226
S1246 BeaverTail BeaverTail has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration.29729852
S0268 Bisonal Bisonal can retrieve a file listing from the system.178179
S1070 Black Basta Black Basta can enumerate specific files for encryption.158156160161163159162157
S1068 BlackCat BlackCat can enumerate files for encryption.345
S0069 BLACKCOFFEE BLACKCOFFEE has the capability to enumerate files.16
S0089 BlackEnergy BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.9697
S0564 BlackMould BlackMould has the ability to find files on the targeted system.239
S0520 BLINDINGCAN BLINDINGCAN can search, read, write, move, and execute files.293294
S0657 BLUELIGHT BLUELIGHT can enumerate files and collect associated metadata.282
S1184 BOLDMOVE BOLDMOVE can list information of all files in the system recursively from the root directory or from a specified directory.143
S0635 BoomBox BoomBox can search for specific files and directories on a machine.206
S0651 BoxCaon BoxCaon has searched for files on the system, such as documents located in the desktop folder.64
S0252 Brave Prince Brave Prince gathers file and directory information from the victim’s machine.167
G0060 BRONZE BUTLER BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.419
C0015 C0015 During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.420
S0693 CaddyWiper CaddyWiper can enumerate all files and directories on a compromised host.214
S0351 Cannon Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.269
S0348 Cardinal RAT Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).92
S0572 Caterpillar WebShell Caterpillar WebShell can search for files in directories.104
S1043 ccf32 ccf32 can parse collected files to identify specific file extensions.283
S0674 CharmPower CharmPower can enumerate drives and list the contents of the C: drive on a victim’s computer.189
S0144 ChChes ChChes collects the victim’s %TEMP% directory path and version of Internet Explorer.260
S1096 Cheerscrypt Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.328
G0114 Chimera Chimera has utilized multiple commands to identify data of interest in file and directory listings.376
S1149 CHIMNEYSWEEP CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.112
S0020 China Chopper China Chopper’s server component can list directory contents.279353
S0023 CHOPSTICK An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.183
S0660 Clambling Clambling can browse directories on a compromised host.7980
S0611 Clop Clop has searched folders and subfolders for files to encrypt.209
S0106 cmd cmd can be used to find files and directories with native functionality such as dir commands.4
S1105 COATHANGER COATHANGER will survey the contents of system files during installation.188
S0154 Cobalt Strike Cobalt Strike can explore files on a compromised system.164
G0142 Confucius Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.407
G1052 Contagious Interview Contagious Interview has conducted key word searches within files and directories on a compromised hosts to identify files for exfiltration.5254
S0575 Conti Conti can discover files on a local system.181
S0492 CookieMiner CookieMiner has looked for files in the user’s home directory with “wallet” in their name using find.137
S0212 CORALDECK CORALDECK searches for specified files.59
S0050 CosmicDuke CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.146
S0488 CrackMapExec CrackMapExec can discover specified filetypes and log files on a targeted system.11
S1023 CreepyDrive CreepyDrive can specify the local file path to upload files from.240
S0115 Crimson Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.383739
S0235 CrossRAT CrossRAT can list all files on a system.138
S0498 Cryptoistic Cryptoistic can scan a directory to identify files for deletion.253
S0625 Cuba Cuba can enumerate files by using a variety of functions.144
S1153 Cuckoo Stealer Cuckoo Stealer can search for files associated with specific applications.134135
S0687 Cyclops Blink Cyclops Blink can use the Linux API statvfs to enumerate the current working directory.152153
S0497 Dacls Dacls can scan directories on a compromised host.330
G0070 Dark Caracal Dark Caracal collected file listings of all default Windows directories.138
S1111 DarkGate Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue.254
G0012 Darkhotel Darkhotel has used malware that searched for files with specific patterns.402
S0673 DarkWatchman DarkWatchman has the ability to enumerate file and folder names.165
S0255 DDKONG DDKONG lists files on the victim’s machine.245
S0616 DEATHRANSOM DEATHRANSOM can use loop operations to enumerate directories on a compromised host.139
S0354 Denis Denis has several commands to search directories for files.246247
S0021 Derusbi Derusbi is capable of obtaining directory, file, and drive listings.278279
S0659 Diavol Diavol has a command to traverse the files and directories in a given path.69
S0600 Doki Doki has resolved the path of a process PID to use as a script argument.237
S0472 down_new down_new has the ability to list the directories on a compromised host.81
G0035 Dragonfly Dragonfly has used a batch script to gather folder and file names from victim hosts.368367366
S0547 DropBook DropBook can collect the names of all files and folders in the Program Files directories.113114
S0567 Dtrack Dtrack can list files on available disk volumes.243244
S1159 DUSTTRAP DUSTTRAP can enumerate files and directories.203
S0062 DustySky DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.348349
S0081 Elise A variant of Elise executes dir C:\progra~1 when initially run.177176
S0064 ELMER ELMER is capable of performing directory listings.44
S1247 Embargo Embargo has searched for folders, subfolders and other networked or mounted drives for follow on encryption actions.56 Embargo has also iterated device volumes using FindFirstVolumeW() and FindNextVolumeW() functions and then calls the GetVolumePathNamesForVolumeNameW() function to retrieve a list of drive letters and mounted folder paths for each specified volume.56
S0363 Empire Empire includes various modules for finding files of interest on hosts and network shares.6
S0091 Epic Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.7778
S1179 Exbyte Exbyte enumerates all document files on an infected machine, then creates a summary of these items including filename and directory location prior to exfiltration to cloud hosting services.187
S0181 FALLCHILL FALLCHILL can search files on a victim.75
S0512 FatDuke FatDuke can enumerate directories on target machines.180
G1016 FIN13 FIN13 has used the Windows dir command to enumerate files and directories in a victim’s network.416
S0182 FinFisher FinFisher enumerates directories and scans for certain files.186185
S0618 FIVEHANDS FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.154155
S0036 FLASHFLOOD FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.120
S0661 FoggyWeb FoggyWeb’s loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.268
S0193 Forfiles Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)10
G0117 Fox Kitten Fox Kitten has used WizTree to obtain network files and directory listings.414
S0277 FruitFly FruitFly looks for specific files and file types.320
S1044 FunnyDream FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.283
S0628 FYAnti FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.212
S0410 Fysbis Fysbis has the ability to search for files.46
G0047 Gamaredon Group Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.362365363 Gamaredon Group has also identified directory trees, folders and files on the compromised host.364
S0666 Gelsemium Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.197
S0049 GeminiDuke GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user’s home folder, files and folders present in any user’s My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.63
S0249 Gold Dragon Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.167
S0493 GoldenSpy GoldenSpy has included a program “ExeProtector”, which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.210
S1198 Gomir Gomir collects information about directory and file structures, including total number of subdirectories, total number of files, and total size of files on infected systems.286
S0237 GravityRAT GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.200
S0632 GrimAgent GrimAgent has the ability to enumerate files and directories on a compromised host.108
G0125 HAFNIUM HAFNIUM has searched file contents on a compromised host.353
S1229 Havoc The Havoc interface can display a file explorer view of the compromised host.168
S0697 HermeticWiper HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.150151
S1027 Heyoka Backdoor Heyoka Backdoor has the ability to search the compromised host for files.252
S0376 HOPLIGHT HOPLIGHT has been observed enumerating system drives and partitions.122
S0431 HotCroissant HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.234
S0070 HTTPBrowser HTTPBrowser is capable of listing files, folders, and drives on a victim.93256
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.288289
S1022 IceApple The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.305
S0434 Imminent Monitor Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.15
S1139 INC Ransomware INC Ransomware can receive command line arguments to encrypt specific files and directories.248249
G0100 Inception Inception used a file listing plugin to collect information about file and directories both on local and remote drives.371
S0604 Industroyer Industroyer’s data wiper component enumerates specific files on all the Windows drives.166
S0259 InnaputRAT InnaputRAT enumerates directories and obtains file attributes on a system.140
S1245 InvisibleFerret InvisibleFerret has identified specific directories and files for exfiltration using the ssh_upload command which contains subcommands of .sdira, sdir, sfile, sfinda, sfindr, sfind.5253 InvisibleFerret also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names, file extensions, and avoids certain path names.5154 InvisibleFerret has utilized the findstr on Windows or the macOS find commands to search for files of interest.55
S0260 InvisiMole InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.265
S0015 Ixeshe Ixeshe can list file and directory information.274
S0201 JPIN JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.119
S0283 jRAT jRAT can browse file systems.207208
S0088 Kasidet Kasidet has the ability to search for a given filename on a victim.302
S0265 Kazuar Kazuar finds a specified directory, lists the files and metadata about those files.148
G0004 Ke3chang Ke3chang uses command-line interaction to search files and directories.378379
S0387 KeyBoy KeyBoy has a command to launch a file browser or explorer on the system.242
S0271 KEYMARBLE KEYMARBLE has a command to search for files on the victim’s machine.90
S0526 KGH_SPY KGH_SPY can enumerate files and directories on a compromised host.270
S0607 KillDisk KillDisk has used the FindNextFile command as part of its file deletion process.50
G0094 Kimsuky Kimsuky has the ability to enumerate all files and directories on an infected system.406404405
S0599 Kinsing Kinsing has used the find command to search for specific files.22
S0437 Kivars Kivars has the ability to list drives on the infected host.95
S0250 Koadic Koadic can obtain a list of directories.9
S0356 KONNI A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.315
C0035 KV Botnet Activity KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.428
S0236 Kwampirs Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> “C:\windows\TEMP[RANDOM].tmp”.116
S1160 Latrodectus Latrodectus can collect desktop filenames.128127129
G0032 Lazarus Group Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.399198401400
G0077 Leafminer Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.415
S1185 LightSpy LightSpy uses the NSFileManager to move, create and delete files. LightSpy can also use the assembly bt instruction to determine a file’s executable permissions.196
S0211 Linfo Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.145
S1121 LITTLELAMB.WOOLTEA LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of /tmp/data/root/dev.337
S1199 LockBit 2.0 LockBit 2.0 can exclude files associated with core system functions from encryption.199
S1202 LockBit 3.0 LockBit 3.0 can exclude files associated with core system functions from encryption.130
S1101 LoFiSe LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg.118
S0447 Lokibot Lokibot can search for specific files on an infected host.121
S0582 LookBack LookBack can retrieve file listings from the victim machine.299
G0030 Lotus Blossom Lotus Blossom has used commands such as dir to examine the local filesystem of victim machines.390
G1014 LuminousMoth LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.392391
S1142 LunarMail LunarMail can search its staging directory for output files it has produced.99
S1141 LunarWeb LunarWeb has the ability to retrieve directory listings.99
S0409 Machete Machete produces file listings in order to search for files to be exfiltrated.309310311
S1016 MacMa MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.338
S1060 Mafalda Mafalda can search for files and directories.262
G0059 Magic Hound Magic Hound malware can list a victim’s logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory’s contents.388
S1169 Mango Mango can enumerate the contents of current working or other specified directories.123
S1156 Manjusaka Manjusaka can gather information about specific files on the victim system.170
S0652 MarkiRAT MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.76
G1051 Medusa Group Medusa Group has searched for files within the victim environment for encryption and exfiltration.257258259 Medusa Group has also identified files associated with remote management services.257258
S1244 Medusa Ransomware Medusa Ransomware has searched for files within the victim environment for encryption and exfiltration.257258259 Medusa Ransomware has also identified files associated with remote management services.257258
S0576 MegaCortex MegaCortex can parse the available drives and directories to determine which files to encrypt.133
S1191 Megazord Megazord can ignore specified directories for encryption.276
G0045 menuPass menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.403
S0443 MESSAGETAP MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.350
S1059 metaMain metaMain can recursively enumerate files in an operator-provided directory.262263
S0455 Metamorfo Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.342343344
S0339 Micropsia Micropsia can perform a recursive directory listing for all volume drives available on the victim’s machine and can also fetch specific files by their paths.60
S0051 MiniDuke MiniDuke can enumerate local drives.180
S0083 Misdat Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.61
S1122 Mispadu Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine.271
S0079 MobileOrder MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.236
S0149 MoonWind MoonWind has a command to return a directory listing for a specified directory.132
G0069 MuddyWater MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords “Kasper,” “Panda,” or “ESET.”387
S1135 MultiLayer Wiper MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.327
G0129 Mustang Panda Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.396397
S0272 NDiskMonitor NDiskMonitor can obtain a list of all files and directories as well as logical drives.273
S0630 Nebulae Nebulae can list files and directories on a compromised host.264
S0034 NETEAGLE NETEAGLE allows adversaries to enumerate and modify the infected host’s file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.120
S0198 NETWIRE NETWIRE has the ability to search for files on the compromised host.169
C0002 Night Dragon During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.110
S1090 NightClub NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.98
S1100 Ninja Ninja has the ability to enumerate directory content.117118
S0385 njRAT njRAT can browse file systems using a file manager module.65
S0368 NotPetya NotPetya searches for files ending with dozens of different file extensions prior to encryption.204
S0644 ObliqueRAT ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.225
S0346 OceanSalt OceanSalt can extract drive information from the endpoint and search files on the system.89
S0340 Octopus Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.171172173
S1170 ODAgent ODAgent can identify the current working directory.233
S0439 Okrum Okrum has used DriveLetterView to enumerate drive information.224
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors used dir c:\\ to search for files.422
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.427
C0006 Operation Honeybee During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords.421
C0014 Operation Wocao During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest.426
S0229 Orz Orz can gather victim drive information.17
S0402 OSX/Shlayer OSX/Shlayer has used the command appDir=”$(dirname $(dirname “$currentDir”))” and $(dirname “$(pwd -P)”) to construct installation paths.250251
S1017 OutSteel OutSteel can search for specific file extensions, including zipped files.211
S0072 OwaAuth OwaAuth has a command to list its directory and logical drives.93
S0598 P.A.S. Webshell P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.34
S1109 PACEMAKER PACEMAKER can parse /proc/"process_name"/cmdline to look for the string dswsd within the command line.324
S0208 Pasam Pasam creates a backdoor through which remote attackers can retrieve lists of files.261
G0040 Patchwork A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.360273
S1102 Pcexter Pcexter has the ability to search for files in specified directories.118
S0587 Penquin Penquin can use the command code do_vslist to send file names, size, and status to C2.308
S0643 Peppy Peppy can identify specific files for exfiltration.38
S0048 PinchDuke PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.63
S1031 PingPull PingPull can enumerate storage volumes and folder contents of a compromised host.73
S0124 Pisloader Pisloader has commands to list drives on the victim machine and to list file information for a given directory.334
G1040 Play Play has used the Grixba information stealer to list security files and processes.266
S1162 Playcrypt Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.266
S0435 PLEAD PLEAD has the ability to list drives and files on the compromised host.95223
S0013 PlugX PlugX has a module to enumerate drives and find files recursively.25262729 PlugX has also checked the path from which it is running for specific parameters prior to execution. 252830
S0428 PoetRAT PoetRAT has the ability to list files upon receiving the ls command from C2.84
S0216 POORAIM POORAIM can conduct file browsing.59
S0378 PoshC2 PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.8
S0139 PowerDuke PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.70
S0184 POWRUNER POWRUNER may enumerate user directories on a victim.241
S1058 Prestige Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.285
S0113 Prikormka A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.329
S0238 Proxysvc Proxysvc lists files in directories.198
S0078 Psylo Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.236
S0147 Pteranodon Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.136
S0192 Pupy Pupy can walk through directories and recursively search for strings in files.7
S0650 QakBot QakBot can identify whether it has been run previously on a host by checking for a specified folder.83
S1242 Qilin Qilin can exclude specific directories and files from encryption.290
S0686 QuietSieve QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.229
S1148 Raccoon Stealer Raccoon Stealer identifies target files and directories for collection based on a configuration file.336335
S0629 RainyDay RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.264
S0458 Ramsay Ramsay can collect directory and file lists.303304
S1212 RansomHub RansomHub has the ability to only encrypt specific files.255
S0055 RARSTONE RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.94
S1130 Raspberry Robin Raspberry Robin will check to see if the initial executing script is located on the user’s Desktop as an anti-analysis check.235
S1040 Rclone Rclone can list files and directories with the ls, lsd, and lsl commands.5
G1039 RedCurl RedCurl has searched for and collected files on local and network drives.372373374
S0153 RedLeaves RedLeaves can enumerate and search for files and directories.316260
S0332 Remcos Remcos can search for files on the infected machine.14
S0375 Remexi Remexi searches for files on the system. 325
S0592 RemoteUtilities RemoteUtilities can enumerate files and directories on a target machine.13
S0125 Remsec Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.474849
S0496 REvil REvil has the ability to identify specific files and directories that are not to be encrypted.190191192193194195
S0448 Rising Sun Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.307
S1150 ROADSWEEP ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions.112312313
S0240 ROKRAT ROKRAT has the ability to gather a list of files and directories on the infected system.230231232
S0090 Rover Rover automatically searches for files on local drives based on a predefined list of file extensions.332
S1073 Royal Royal can identify specific files and directories to exclude from the encryption process.339340341
S0148 RTM RTM can check for specific files and directories associated with virtualization and malware analysis.314
S0446 Ryuk Ryuk has enumerated files and folders on all mounted drives.82
S1018 Saint Bot Saint Bot can search a compromised host for specific files.211
C0059 Salesforce Data Exfiltration During Salesforce Data Exfiltration, threat actors queried customers’ Salesforce environments to identify sensitive information for exfiltration.424
S1099 Samurai Samurai can use a specific module for file enumeration.117
G0034 Sandworm Team Sandworm Team has enumerated files on a compromised host.204380
G1015 Scattered Spider Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code, user provisioning, MFA device registration, network diagrams, and shared credentials in documents or spreadsheets.383386385382384
S0461 SDBbot SDBbot has the ability to get directory listings or drive information on a compromised host.21
S0345 Seasalt Seasalt has the capability to identify the drive type on a victim.89
C0058 SharePoint ToolShell Exploitation During SharePoint ToolShell Exploitation, threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content.423
S1089 SharpDisco SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either %USERPROFILE%\Recent (Windows XP) or %APPDATA%\Microsoft\Windows\Recent (newer Windows versions) .98
S0444 ShimRat ShimRat can list directories.333
S0063 SHOTPUT SHOTPUT has a command to obtain a directory listing.91
S0610 SideTwist SideTwist has the ability to search for specific files.107
G0121 Sidewinder Sidewinder has used malware to collect information on files and directories.381
S0692 SILENTTRINITY SILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.12
S0623 Siloscape Siloscape searches for the Kubernetes config file and other related files using a regular expression.280
S0468 Skidmap Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. 109
S0633 Sliver Sliver can enumerate files on a target system.3
S0533 SLOTHFULMEDIA SLOTHFULMEDIA can enumerate files and directories.182
S0226 Smoke Loader Smoke Loader recursively searches through directories for files.346
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.425
S0615 SombRAT SombRAT can execute enum to enumerate files in storage on a compromised system.326
S0516 SoreFang SoreFang has the ability to list directories.102
S0157 SOUNDBITE SOUNDBITE is capable of enumerating and manipulating files and directories.287
G0054 Sowbug Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.361
S0035 SPACESHIP SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.120
S1140 Spica Spica can list filesystem contents on targeted systems.147
S1234 SplatCloak SplatCloak has used Windows API to identify files associated with Windows Defender and Kaspersky.301
S1200 StealBit StealBit can be configured to exfiltrate specific file types.199356
S0142 StreamEx StreamEx has the ability to enumerate drive types.291
S1034 StrifeWater StrifeWater can enumerate files on a compromised host.281
S0491 StrongPity StrongPity can parse the hard drive on a compromised host to identify specific file extensions.227
S0603 Stuxnet Stuxnet uses a driver to scan for specific filesystem driver objects.215
S1042 SUGARDUMP SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string Profile in its name.45
S0559 SUNBURST SUNBURST had commands to enumerate files and directories.141142
S0562 SUNSPOT SUNSPOT enumerated the Orion software Visual Studio solution directory path.174
S0242 SynAck SynAck checks its directory location in an attempt to avoid launching in a sandbox.4041
S0663 SysUpdate SysUpdate can search files on a compromised host.126125
S0011 Taidoor Taidoor can search for specific files.292
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.43
S0467 TajMahal TajMahal has the ability to index files from drives, user profiles, and removable drives.284
G0139 TeamTNT TeamTNT has used a script that checks /proc/*/environ for environment variables related to AWS.389
S0665 ThreatNeedle ThreatNeedle can obtain file and directory information.205
S0131 TINYTYPHON TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.103
G1022 ToddyCat ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.118
S0266 TrickBot TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.295296
S0094 Trojan.Karagany Trojan.Karagany can enumerate files and directories on a compromised host.202
S1196 Troll Stealer Troll Stealer can enumerate and collect items from local drives and folders.228
G0081 Tropic Trooper Tropic Trooper has monitored files’ modified time.105
S0436 TSCookie TSCookie has the ability to discover drive information on the infected host.115
S0647 Turian Turian can search for specific files and list directories.58
G0010 Turla Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user’s desktop, the Program Files directory, and Recent.77417 Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.418
S0263 TYPEFRAME TYPEFRAME can search directories for files on the victim’s machine.355
G1048 UNC3886 UNC3886 has used vmtoolsd.exe to enumerate files on guest machines.359358
S0275 UPPERCUT UPPERCUT has the capability to gather the victim’s current directory.347
S0022 Uroburos Uroburos can search for specific files on a compromised system.354
S0452 USBferry USBferry can detect the victim’s file or folder list.105
S0136 USBStealer USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.1920
G1047 Velvet Ant Velvet Ant has enumerated local files and folders on victim devices.375
S0180 Volgmer Volgmer can list directories on a victim.33
G1017 Volt Typhoon Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.357
S0366 WannaCry WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.101100
S0670 WarzoneRAT WarzoneRAT can enumerate directories on a compromise host.317
S0612 WastedLocker WastedLocker can enumerate files and directories just prior to encryption.272
S0689 WhisperGate WhisperGate can locate files based on hardcoded file extensions.87868588
G0124 Windigo Windigo has used a script to check for the presence of files created by OpenSSH backdoors.411
S0466 WindTail WindTail has the ability to enumerate the users home directory and the path to its own application bundle.6667
S0219 WINERACK WINERACK can enumerate files and directories.59
S0059 WinMM WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.57
S0141 Winnti for Windows Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.62
G0044 Winnti Group Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.409
G1035 Winter Vivern Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.410
S1065 Woody RAT Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.24
S0161 XAgentOSX XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.149 XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.149
S0658 XCSSET XCSSET has used mdfind to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command ls -la ~/Desktop.321322
S0248 yty yty gathers information on victim’s drives and has a plugin for document listing.42
S0251 Zebrocy Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.216217218 Zebrocy can obtain the current execution path as well as perform drive enumeration.219220
S0330 Zeus Panda Zeus Panda searches for specific directories on the victim’s machine.331
S1114 ZIPLINE ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands.238
S0086 ZLib ZLib has the ability to enumerate files and drives.61
S0672 Zox Zox can enumerate files on a compromised host.175
S0350 zwShell zwShell can browse the file system.110
S0412 ZxShell ZxShell has a command to open a file manager and explorer on the system.111

References

  1. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. 

  2. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. 

  3. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021. 

  4. Microsoft. (n.d.). Dir. Retrieved April 18, 2016. 

  5. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022. 

  6. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  7. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  8. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. 

  9. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  10. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018. 

  11. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  12. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  13. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  14. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. 

  15. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  16. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024. 

  17. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  18. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  19. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  20. Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. 

  21. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  22. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. 

  23. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  24. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  25. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  26. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  27. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  28. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  29. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025. 

  30. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024. 

  31. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. 

  32. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. 

  33. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  34. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  35. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  36. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  37. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  38. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  39. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. 

  40. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018. 

  41. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  42. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  43. Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. 

  44. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  45. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. 

  46. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  47. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. 

  48. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  49. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021. 

  50. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  51. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  52. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. 

  53. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  54. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. 

  55. Cyble. (2024, May 24). The Rust Revolution: New Embargo Ransomware Steps In. Retrieved October 19, 2025. 

  56. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  57. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  58. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. 

  59. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  60. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  61. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  62. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  63. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  64. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  65. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019. 

  66. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. 

  67. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  68. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  69. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  70. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  71. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  72. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  73. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  74. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  75. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  76. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  77. Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. 

  78. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  79. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  80. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  81. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  82. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  83. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  84. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  85. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  86. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022. 

  87. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  88. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. 

  89. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  90. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016. 

  91. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  92. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  93. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016. 

  94. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  95. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  96. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. 

  97. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  98. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  99. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. 

  100. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024. 

  101. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  102. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  103. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  104. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  105. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. 

  106. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  107. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  108. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  109. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  110. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  111. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  112. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  113. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  114. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  115. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  116. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  117. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  118. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  119. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. 

  120. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  121. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  122. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  123. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  124. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  125. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  126. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  127. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  128. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. 

  129. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  130. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. 

  131. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  132. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  133. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. 

  134. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024. 

  135. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  136. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  137. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  138. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  139. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  140. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  141. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  142. Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024. 

  143. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  144. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. 

  145. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  146. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024. 

  147. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  148. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  149. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. 

  150. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  151. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  152. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. 

  153. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. 

  154. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. 

  155. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024. 

  156. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023. 

  157. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. 

  158. Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023. 

  159. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023. 

  160. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. 

  161. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  162. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  163. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  164. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  165. Ungur, P. (n.d.). HAVOC. Retrieved August 4, 2025. 

  166. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  167. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024. 

  168. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  169. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. 

  170. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  171. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  172. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  173. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024. 

  174. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  175. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  176. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  177. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  178. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  179. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  180. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  181. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  182. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  183. FinFisher. (n.d.). Retrieved September 12, 2024. 

  184. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. 

  185. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024. 

  186. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  187. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  188. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  189. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  190. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  191. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  192. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  193. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. 

  194. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  195. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  196. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025. 

  197. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  198. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  199. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  200. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  201. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  202. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  203. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  204. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  205. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019. 

  206. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. 

  207. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  208. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  209. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  210. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  211. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022. 

  212. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  213. Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. 

  214. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  215. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  216. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  217. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  218. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. 

  219. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. 

  220. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. 

  221. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  222. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  223. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  224. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  225. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. 

  226. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  227. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. 

  228. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  229. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  230. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. 

  231. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  232. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024. 

  233. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  234. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. 

  235. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. 

  236. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  237. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  238. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  239. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  240. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  241. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  242. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  243. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  244. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  245. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. 

  246. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. 

  247. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. 

  248. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  249. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  250. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  251. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  252. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025. 

  253. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. 

  254. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025. 

  255. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025. 

  256. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  257. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  258. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. 

  259. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  260. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  261. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  262. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  263. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. 

  264. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  265. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  266. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  267. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  268. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. 

  269. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  270. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  271. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  272. CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024. 

  273. Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025. 

  274. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  275. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. 

  276. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  277. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  278. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  279. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  280. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  281. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  282. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  283. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025. 

  284. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  285. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. 

  286. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  287. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025. 

  288. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. 

  289. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  290. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  291. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020. 

  292. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  293. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. 

  294. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. 

  295. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. 

  296. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  297. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  298. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  299. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  300. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  301. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  302. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  303. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  304. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  305. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  306. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  307. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  308. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  309. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. 

  310. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. 

  311. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  312. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  313. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  314. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  315. Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024. 

  316. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024. 

  317. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  318. Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022. 

  319. Microsoft Threat Intelligence. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects. Retrieved April 2, 2025. 

  320. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  321. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. 

  322. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  323. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  324. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. 

  325. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023. 

  326. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  327. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. 

  328. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  329. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  330. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  331. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. 

  332. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  333. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  334. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024. 

  335. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  336. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  337. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023. 

  338. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. 

  339. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  340. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  341. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  342. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  343. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. 

  344. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  345. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. 

  346. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  347. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  348. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  349. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021. 

  350. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. 

  351. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  352. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  353. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  354. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  355. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. 

  356. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  357. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024. 

  358. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  359. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  360. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. 

  361. Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025. 

  362. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  363. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. 

  364. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. 

  365. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  366. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  367. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. 

  368. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020. 

  369. Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on ‘major Russian bank,’ Australian company. Retrieved August 9, 2024. 

  370. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. 

  371. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. 

  372. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. 

  373. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. 

  374. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  375. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  376. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  377. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  378. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  379. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025. 

  380. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. 

  381. Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025. 

  382. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025. 

  383. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. 

  384. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  385. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  386. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  387. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. 

  388. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  389. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  390. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. 

  391. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017. 

  392. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  393. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  394. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  395. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  396. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  397. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  398. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  399. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. 

  400. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  401. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  402. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. 

  403. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  404. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  405. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  406. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  407. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024. 

  408. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  409. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  410. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  411. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  412. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. 

  413. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. 

  414. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  415. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  416. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  417. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  418. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  419. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  420. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025. 

  421. FBI Cyber Division. (2025, September 12). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. Retrieved October 22, 2025. 

  422. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  423. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  424. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  425. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.