Skip to content

T1105 Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.5 A number of these tools, such as wget, curl, and scp, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via certutil -hashfile).2

Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).1

Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.6 In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service’s web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim’s machine.3

Item Value
ID T1105
Sub-techniques
Tactics TA0011
Platforms ESXi, Linux, Network Devices, Windows, macOS
Version 2.6
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. 599
S0469 ABK ABK has the ability to download files from C2.62
S1028 Action RAT Action RAT has the ability to download additional payloads onto an infected machine.60
S0331 Agent Tesla Agent Tesla can download additional files for execution on the victim’s machine.168169
S0092 Agent.btz Agent.btz attempts to download an encrypted binary from a specified domain.465
G0130 Ajax Security Team Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.586
S1025 Amadey Amadey can download and execute files to further infect a host machine with additional malware.345
S0504 Anchor Anchor can download additional payloads.7071
G0138 Andariel Andariel has downloaded additional tools and malware onto compromised hosts.585
S1074 ANDROMEDA ANDROMEDA can download additional payloads from C2.54
G0099 APT-C-36 APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.559
G0026 APT18 APT18 can upload a file to the victim’s machine.530
G0007 APT28 APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.518519116520521
G0016 APT29 APT29 has downloaded additional tools and malware onto compromised networks.501218274502
G0022 APT3 APT3 has a tool that can copy files to remote machines.587
G0050 APT32 APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.539
G0064 APT33 APT33 has downloaded additional files and programs from its C2 server.543544
G0067 APT37 APT37 has downloaded second stage malware from compromised websites.130486104309
G0082 APT38 APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.511 Additionally, APT38 has downloaded other payloads onto a victim’s machine.512
G0087 APT39 APT39 has downloaded tools to compromised hosts.516517
G0096 APT41 APT41 used certutil to download additional files.555489557 APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access.556 APT41 has uploaded Procdump and NATBypass to a staging directory and has used these tools in follow-on activities.554
C0040 APT41 DUST APT41 DUST involved execution of certutil.exe via web shell to download the DUSTPAN dropper.264
G0143 Aquatic Panda Aquatic Panda has downloaded additional malware onto compromised hosts.510
S0456 Aria-body Aria-body has the ability to download additional payloads from C2.408
S0373 Astaroth Astaroth uses certutil and BITSAdmin to download additional malware. 365366204
S1087 AsyncRAT AsyncRAT has the ability to download files over SFTP.27
S0438 Attor Attor can download additional plugins, updates and other files. 203
S0347 AuditCred AuditCred can download files and additional malware.192
S0473 Avenger Avenger has the ability to download files from C2 to a compromised host.62
S0344 Azorult Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.236237
S0414 BabyShark BabyShark has downloaded additional files from the C2.8788
S0475 BackConfig BackConfig can download and execute additional payloads on a compromised host.90
S0093 Backdoor.Oldrea Backdoor.Oldrea can download additional modules from C2.320
G0135 BackdoorDiplomacy BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.390
S0642 BADFLICK BADFLICK has download files from its C2 server.392
S1081 BADHATCH BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine.262
S0128 BADNEWS BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.141375150
S0337 BadPatch BadPatch can download and execute or update malware.306
S0234 Bandook Bandook can download files to the system.180
S0239 Bankshot Bankshot uploads files and secondary payloads to the victim’s machine.339
S0534 Bazar Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.395396397398
S0470 BBK BBK has the ability to download files from C2 to the infected host.62
S1246 BeaverTail BeaverTail has been used to download a malicious payload to include Python based malware InvisibleFerret.369125126184186370
S0574 BendyBear BendyBear is designed to download an implant from a C2 server.63
S0017 BISCUIT BISCUIT has a command to download a file from the C2 server.259
S0268 Bisonal Bisonal has the capability to download files to execute on the victim’s machine.919293
S0190 BITSAdmin BITSAdmin can be used to create BITS Jobs to upload and/or download files.21
G1002 BITTER BITTER has downloaded additional malware and tools onto a compromised host.55469
G1043 BlackByte BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites.474
S0564 BlackMould BlackMould has the ability to download files to the victim’s machine.381
S0520 BLINDINGCAN BLINDINGCAN has downloaded files to a victim machine.94
S0657 BLUELIGHT BLUELIGHT can download additional files onto the host.104
S0486 Bonadan Bonadan can download additional modules from the C2 server.118
S0360 BONDUPDATER BONDUPDATER can download or upload files from its C2 server.428
S0635 BoomBox BoomBox has the ability to download next stage malware components to a compromised system.148
S0651 BoxCaon BoxCaon can download files.109
S0204 Briba Briba downloads files onto infected hosts.155
G0060 BRONZE BUTLER BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).112
S1063 Brute Ratel C4
Brute Ratel C4 can download files to compromised hosts.3029
S0471 build_downer build_downer has the ability to download files from C2 to the infected host.62
S1039 Bumblebee Bumblebee can download and execute additional payloads including through the use of a Dex command.241240239
S0482 Bundlore Bundlore can download and execute new versions of itself.233
S1118 BUSHWALK BUSHWALK can write malicious payloads sent through a web request’s command parameter.4241
C0010 C0010 During C0010, UNC3890 actors downloaded tools and malware onto a compromised host.605
C0015 C0015 During C0015, the threat actors downloaded additional tools and files onto a compromised network.595
C0017 C0017 During C0017, APT41 downloaded malicious payloads onto compromised systems.615
C0018 C0018 During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network.611610
C0021 C0021 During C0021, the threat actors downloaded additional tools and files onto victim machines.603602
C0026 C0026 During C0026, the threat actors downloaded malicious payloads onto select compromised hosts.54
C0027 C0027 During C0027, Scattered Spider downloaded tools using victim organization systems.592
S0274 Calisto Calisto has the capability to upload and download files to the victim’s machine.167
S0077 CallMe CallMe has the capability to download a file to the victim from the C2 server.202
S0351 Cannon Cannon can download a payload for execution.114
S0484 Carberp Carberp can download and execute new plugins from the C2 server. 139140
S0348 Cardinal RAT Cardinal RAT can download and execute additional payloads.127
S0465 CARROTBALL CARROTBALL has the ability to download and install a remote payload.16
S0462 CARROTBAT CARROTBAT has the ability to download and execute a remote file via certutil.334
S1224 CASTLETAP CASTLETAP can transfer files to compromised network devices.119
S0572 Caterpillar WebShell Caterpillar WebShell has a module to download and upload files to the system.418
S0160 certutil certutil can be used to download files from a given URL.1718
S0631 Chaes Chaes can download additional files onto an infected machine.436
S0674 CharmPower CharmPower has the ability to download additional modules to a compromised host.433
S0144 ChChes ChChes is capable of downloading files, including additional modules.312313311
G0114 Chimera Chimera has remotely copied tools and malware onto targeted systems.588
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can download additional files from C2.110
S0020 China Chopper China Chopper’s server component can download remote files.134135136133132
S0023 CHOPSTICK CHOPSTICK is capable of performing remote file transmission.257
S0667 Chrommme Chrommme can download its code from C2.170
G1021 Cinnamon Tempest Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts.473
S0054 CloudDuke CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.274
S0106 cmd cmd can be used to copy files to/from a remotely connected external system.10
G0080 Cobalt Group Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.4716 The group’s JavaScript backdoor is also capable of downloading files.472
S0154 Cobalt Strike Cobalt Strike can deliver additional payloads to victim machines.412413
S0369 CoinTicker CoinTicker executes a Python script to download its second stage.328
S0608 Conficker Conficker downloads an HTTP server to the infected machine.464
G0142 Confucius Confucius has downloaded additional files and payloads onto a compromised host following initial access.542541
S0492 CookieMiner CookieMiner can download additional scripts from a web server.272
S0137 CORESHELL CORESHELL downloads another dropper from its C2 server.437
S0614 CostaBricks CostaBricks has been used to load SombRAT onto a compromised host.66
C0004 CostaRicto During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.66
S1023 CreepyDrive CreepyDrive can download files to the compromised host.363
S0115 Crimson Crimson contains a command to retrieve files from its C2 server.123337338
S0498 Cryptoistic Cryptoistic has the ability to send and receive files.156
S0527 CSPY Downloader CSPY Downloader can download additional tools to a compromised host.15
S0625 Cuba Cuba can download files from its C2 server.221
C0029 Cutting Edge During Cutting Edge, threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs.600
S0687 Cyclops Blink Cyclops Blink has the ability to download files to target systems.407406
S0497 Dacls Dacls can download its payload from a C2 server.156157
G1034 Daggerfly Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines.537
S1014 DanBot DanBot can download additional files to a targeted system.234
S0334 DarkComet DarkComet can load any files onto the infected machine to execute.260261
S1111 DarkGate DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.292 DarkGate uses Windows Batch scripts executing the curl command to retrieve follow-on payloads.293 DarkGate has stolen sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present.294
G0012 Darkhotel Darkhotel has used first-stage payloads that download additional malware from C2 servers.571
S1066 DarkTortilla DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.43
S0187 Daserf Daserf can download remote files.111112
S0255 DDKONG DDKONG downloads and uploads files on the victim’s machine.51
S0616 DEATHRANSOM DEATHRANSOM can download files to a compromised host.215
S0354 Denis Denis deploys additional backdoors and hacking tools to the system.72
S0659 Diavol Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.419
S0200 Dipsind Dipsind can download remote files.121
S1088 Disco Disco can download files to targeted systems via SMB.74
S1021 DnsSystem DnsSystem can download files to compromised systems after receiving a command with the string downloaddd.217
S0213 DOGCALL DOGCALL can download and execute additional payloads.301
S0600 Doki Doki has downloaded scripts from C2.231
S0695 Donut Donut can download and execute previously staged shellcode payloads.26
S0472 down_new down_new has the ability to download files to the compromised host.62
S0134 Downdelph After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.332
G0035 Dragonfly Dragonfly has copied and installed tools for operations once in the victim environment.569
S0694 DRATzarus DRATzarus can deploy additional tools onto an infected machine.226
S0547 DropBook DropBook can download and execute additional files.251252
S0502 Drovorub Drovorub can download files to a compromised host.457
S0567 Dtrack Dtrack’s can download and upload a file to the victim’s computer.446447
S1159 DUSTTRAP DUSTTRAP can retrieve and load additional payloads.264
S0024 Dyre Dyre has a command to download and executes additional files.181
S0624 Ecipekac Ecipekac can download additional payloads to a compromised host.44
S0554 Egregor Egregor has the ability to download files from its C2 server.285286
G0066 Elderwood The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.65
S0081 Elise Elise can download additional files from the C2 server for execution.75
S0082 Emissary Emissary has the capability to download files from the C2 server.281
S0367 Emotet Emotet can download follow-on payloads and items via malicious url parameters in obfuscated PowerShell code.220
S0363 Empire Empire can upload and download to and from a victim machine.32
S0404 esentutl esentutl can be used to copy files from a given URL.25
S0396 EvilBunny EvilBunny has downloaded additional Lua scripts from the C2.33
S0568 EVILNUM EVILNUM can download and upload files to the victim’s computer.374373
G0120 Evilnum Evilnum can deploy additional components or tools as needed.374
S0401 Exaramel for Linux Exaramel for Linux has a command to download a file from and to a remote C2 server.7879
S0569 Explosive Explosive has a function to download a file to the infected system.347
S0171 Felismus Felismus can download files from remote servers.441
S0267 FELIXROOT FELIXROOT downloads and uploads files to and from the victim’s machine.438343
G1016 FIN13 FIN13 has downloaded additional tools and malware to compromised systems.524523
G0046 FIN7 FIN7 has downloaded additional malware to execute on the victim’s machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.548549547550
G0061 FIN8 FIN8 has used remote code execution to download subsequent payloads.560561
S0696 Flagpro Flagpro can download additional malware from the C2 server.280
S0381 FlawedAmmyy FlawedAmmyy can transfer files from C2.335
S0661 FoggyWeb FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.326
G0117 Fox Kitten Fox Kitten has downloaded additional tools including PsExec directly to endpoints.468
C0001 Frankenstein During Frankenstein, the threat actors downloaded files and tools onto a victim machine.593
S0095 ftp ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.2324
S1044 FunnyDream FunnyDream can download additional files onto a compromised host.331
C0007 FunnyDream During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.331
S0628 FYAnti FYAnti can download additional payloads to a compromised host.44
G0093 GALLIUM GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.581381
G0047 Gamaredon Group Gamaredon Group has downloaded additional malware and tools onto a compromised host.15249349281494496 For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments.495
S0168 Gazer Gazer can execute a task to download a file.295296
S0666 Gelsemium Gelsemium can download additional plug-ins to a compromised host.170
S0032 gh0st RAT gh0st RAT can download files to the victim’s machine.146147
S0249 Gold Dragon Gold Dragon can download additional components from the C2 server.179
S0493 GoldenSpy GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.377
S0588 GoldMax GoldMax can download and execute additional files.303382
S1138 Gootloader Gootloader can fetch second stage code from hardcoded web domains.416415
G0078 Gorgon Group Gorgon Group malware can download additional files from C2 servers.515
S0531 Grandoreiro Grandoreiro can download its second stage from a hardcoded URL within the loader’s code.102103
S0342 GreyEnergy GreyEnergy can download additional modules and payloads.343
S0632 GrimAgent GrimAgent has the ability to download and execute additional payloads.183
S0561 GuLoader GuLoader can download further malware for execution on the victim’s machine.330
S0132 H1N1 H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.348
G0125 HAFNIUM HAFNIUM has downloaded malware and tools–including Nishang and PowerCat–onto a compromised host.470133
S0499 Hancitor Hancitor has the ability to download additional files from C2.161
S1211 Hannotog Hannotog can download additional files to the victim machine.426
S0214 HAPPYWORK can download and execute a second-stage payload.130
S1229 Havoc Havoc has the ability to upload files to infected systems.199198
S0170 Helminth Helminth can download additional files.282
G1001 HEXANE HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.166
S1249 HexEval Loader HexEval Loader has been used to download a malicious payload to include BeaverTail.124125126
S0087 Hi-Zor Hi-Zor has the ability to upload and download files from its C2 server.86
S0394 HiddenWasp HiddenWasp downloads a tar compressed archive from a download server to the system.389
S0009 Hikit Hikit has the ability to download files to a compromised host.201
S0601 Hildegard Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.409
C0038 HomeLand Justice During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.608
S0376 HOPLIGHT HOPLIGHT has the ability to connect to a remote host in order to upload and download files.376
S0431 HotCroissant HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.317
S0070 HTTPBrowser HTTPBrowser is capable of writing a file to the compromised system from the C2 server.59
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can download files and additional malware components.212213
S0398 HyperBro HyperBro has the ability to download additional files.405
S0483 IcedID IcedID has the ability to download additional modules and a configuration file from C2.350351349243
S1152 IMAPLoader IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.439
G1032 INC Ransom INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. 580579
G0136 IndigoZebra IndigoZebra has downloaded additional files and tools from its C2 server.109
G0119 Indrik Spider Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.574576575
S0604 Industroyer Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.194
S1245 InvisibleFerret InvisibleFerret has downloaded “AnyDesk.exe” into the user’s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment.184 InvisibleFerret has also been configured to download additional payloads using a command which calls to the /bow URI.185186
S0260 InvisiMole InvisiMole can upload files to the victim’s machine for operations.378379
S0015 Ixeshe Ixeshe can download and execute additional files.263
S0528 Javali Javali can download payloads from remote C2 servers.204
S0044 JHUHUGIT JHUHUGIT can retrieve an additional payload from its C2 server.454455 JHUHUGIT has a command to download files to the victim’s machine.456
S0201 JPIN JPIN can download files and upgrade itself.121
S0283 jRAT jRAT can download and execute files.254255256
S0648 JSS Loader JSS Loader has the ability to download malicious executables to a compromised host.459
S0215 KARAE KARAE can upload and download files, including second-stage malware.130
S0088 Kasidet Kasidet has the ability to download and execute additional files.393
S0265 Kazuar Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.107
G0004 Ke3chang Ke3chang has used tools to download files to compromised machines.108
S0585 Kerrdown Kerrdown can download specific payloads to a compromised host based on OS architecture.336
S0487 Kessel Kessel can download additional modules from the C2 server.118
S1020 Kevin Kevin can download files to the compromised host.166
S0387 KeyBoy KeyBoy has a download and upload functionality.290289
S0271 KEYMARBLE KEYMARBLE can upload files to the victim’s machine and can download additional payloads.138
S0526 KGH_SPY KGH_SPY has the ability to download and execute code from remote servers.15
G0094 Kimsuky Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.488489490
S0599 Kinsing Kinsing has downloaded additional lateral movement scripts from C2.427
S0437 Kivars Kivars has the ability to download and execute files.314
S0250 Koadic Koadic can download additional files and tools.1211
S0669 KOCTOPUS KOCTOPUS has executed a PowerShell command to download a file to the system.11
S0356 KONNI KONNI can download files and execute them on the victim’s machine.287288
C0035 KV Botnet Activity KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.596
S0236 Kwampirs Kwampirs downloads additional files from C2 servers.329
S1160 Latrodectus Latrodectus can download and execute PEs, DLLs, and shellcode from C2.243244242
G0032 Lazarus Group Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.480478479156157193483482481477
G0140 LazyScripter LazyScripter had downloaded additional tools to a compromised host.11
G0065 Leviathan Leviathan has downloaded additional scripts and files from adversary-controlled servers.182134
S0395 LightNeuron LightNeuron has the ability to download and execute additional files.277
S1185 LightSpy On macOS, LightSpy downloads a .json file from the C2 server. The .json file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash. LightSpy retrieves the plugins specified in the .json file, which are compiled .dylib files. These .dylib files provide task and platform specific functionality. LightSpy also imports open-source libraries to manage socket connections.149
S0211 Linfo Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.208
S0513 LiteDuke LiteDuke has the ability to download files.120
S0680 LitePower LitePower has the ability to download payloads containing system commands to a compromised host.151
S0681 Lizar Lizar can download additional plugins, files, and tools.340341342
S0447 Lokibot Lokibot downloaded several staged items onto the victim’s machine.463
S0451 LoudMiner LoudMiner used SCP to update the miner from the C2.302
S0042 LOWBALL LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.117
S0532 Lucifer Lucifer can download and execute a replica of itself using certutil.142
G1014 LuminousMoth LuminousMoth has downloaded additional malware and tools onto a compromised host.514513
S0409 Machete Machete can download additional files for execution on the victim’s machine.322
S1016 MacMa MacMa has downloaded additional files, including an exploit for used privilege escalation.434435
S1048 macOS.OSAMiner macOS.OSAMiner has used curl to download a Stripped Payloads from a public facing adversary-controlled webpage.
S1060 Mafalda Mafalda can download additional files onto the compromised host.325
G0059 Magic Hound Magic Hound has downloaded additional code and files from servers onto victims.508507506509
S1182 MagicRAT MagicRAT can import and execute additional payloads.89
S0652 MarkiRAT MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.129
S0500 MCMD MCMD can upload additional files to a compromised host.28
S0459 MechaFlounder MechaFlounder has the ability to upload and download files to and from a compromised host.380
G1051 Medusa Group Medusa Group has leveraged certutil, PowerShell, and Windows Command to download additional tools to include RMM services.525 Medusa Group has also engaged in “Bring Your Own Vulnerable Driver” (BYOVD) and downloaded vulnerable or signed drivers to the victim environment to disable security tools.525526
S0530 Melcoz Melcoz has the ability to download additional files to a compromised host.204
G0045 menuPass menuPass has installed updates and new malware on victims.497498
G1013 Metador Metador has downloaded tools and malware onto a compromised system.383
S1059 metaMain metaMain can download files onto compromised systems.383325
S0455 Metamorfo Metamorfo has used MSI files to download additional files to execute.429430431432
S0688 Meteor Meteor has the ability to download additional files for execution on the victim’s machine.100
S0339 Micropsia Micropsia can download and execute an executable from the C2 server.269270
S1015 Milan Milan has received files from C2 and stored them in log folders beginning with the character sequence a9850d2f.46
S0051 MiniDuke MiniDuke can download additional encrypted backdoors onto the victim via GIF files.228120
S0084 Mis-Type Mis-Type has downloaded additional malware and files onto a compromised host.101
S0083 Misdat Misdat is capable of downloading files from the C2.101
S0080 Mivast Mivast has the capability to download and execute .exe files.421
S0079 MobileOrder MobileOrder has a command to download a file from the C2 server to the victim mobile device’s SD card.202
S0553 MoleNet MoleNet can download additional payloads from the C2.251
G0021 Molerats Molerats used executables to download malicious files from different sources.499500
S1026 Mongall Mongall can download files to targeted systems.362
G1036 Moonstone Sleet Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.546
S0284 More_eggs More_eggs can download and launch additional payloads.4748
G1009 Moses Staff Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.570
S0256 Mosquito Mosquito can upload and download files to the victim.235
G0069 MuddyWater MuddyWater has used malware that can upload additional files to the victim’s machine.52752852931
G0129 Mustang Panda Mustang Panda has downloaded additional executables following the initial infection stage.564565566567 Mustang Panda has also leveraged Visual Studio Code code.exe and Dev Tunnels using DevTunnel.exe to propagate additional tools and payloads.568
G1020 Mustard Tempest Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.584
S0228 NanHaiShu NanHaiShu can download additional files from URLs.182
S0336 NanoCore NanoCore has the capability to download and activate additional modules for execution.6768
S0247 NavRAT NavRAT can download files remotely.207
S0272 NDiskMonitor NDiskMonitor can download and execute a file from given URL.150
S0630 Nebulae Nebulae can download files from C2.77
S1189 Neo-reGeorg Neo-reGeorg has the ability to download files to targeted systems.58
S0691 Neoichor Neoichor can download additional files onto a compromised host.108
S0210 Nerex Nerex creates a backdoor through which remote attackers can download files onto a compromised host.65
S0457 Netwalker Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.444
S0198 NETWIRE NETWIRE can downloaded payloads from C2 to the compromised host.460461
S1192 NICECURL NICECURL has the ability to download additional content onto an infected machine, e.g. by using curl.122
S0118 Nidiran Nidiran can download and execute files.174
C0002 Night Dragon During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.613
S1090 NightClub NightClub can load multiple additional plugins on an infected host.74
S0385 njRAT njRAT can download files to the victim’s machine.8283
S0353 NOKKI NOKKI has downloaded a remote module for execution.222
G0133 Nomadic Octopus Nomadic Octopus has used malicious macros to download additional files to the victim’s machine.401
S0340 Octopus Octopus can download additional files and tools onto the victim’s machine.399400401
S1170 ODAgent ODAgent has the ability to download and execute files on compromised systems.178
S1172 OilBooster OilBooster can download and execute files from an actor-controlled OneDrive account.178
S1171 OilCheck OilCheck can download staged payloads from an actor-controlled infrastructure.178
G0049 OilRig OilRig had downloaded remote files onto victim infrastructure.394533
S0439 Okrum Okrum has built-in commands for uploading, downloading, and executing files to the system.76
S0264 OopsIE OopsIE can download files from its C2 server to the victim’s machine.318319
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.226590591
C0006 Operation Honeybee During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.607
C0048 Operation MidnightEclipse During Operation MidnightEclipse, threat actors downloaded additional payloads on compromised devices.598597
C0013 Operation Sharpshooter During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.606
C0014 Operation Wocao During Operation Wocao, threat actors downloaded additional files to the infected system.614
S0229 Orz Orz can download files onto the victim.182
S0402 OSX/Shlayer OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL “$url” >$tmp_path command to download malicious payloads into a temporary directory.384386387385
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.210211
C0042 Outer Space During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure.160
S1017 OutSteel OutSteel can download files from its C2 server.158
S0598 P.A.S. Webshell P.A.S. Webshell can upload and download files to and from compromised hosts.79
S0626 P8RAT P8RAT can download additional payloads to a target system.44
S0664 Pandora Pandora can load additional drivers and files onto a victim machine.34
S0208 Pasam Pasam creates a backdoor through which remote attackers can upload files.275
G0040 Patchwork Patchwork payloads download additional files from the C2 server.577150
S0587 Penquin Penquin can execute the command code do_download to retrieve remote files from C2.250
S0643 Peppy Peppy can download and execute remote files.123
S0501 PipeMon PipeMon can install additional modules via C2 commands.163
S0124 Pisloader Pisloader has a command to upload a file to the victim machine.410
S0254 PLAINTEE PLAINTEE has downloaded and executed additional plugins.51
G0068 PLATINUM PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.484
G1040 Play Play has used Cobalt Strike to download files to compromised machines.538
S0435 PLEAD PLEAD has the ability to upload and download files to and from an infected host.304
S0013 PlugX PlugX has a module to download and execute files on the compromised machine.265266267268
S0428 PoetRAT PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.144145
S0012 PoisonIvy PoisonIvy creates a backdoor through which remote attackers can upload files.367
S0518 PolyglotDuke PolyglotDuke can retrieve payloads from the C2 server.120
S0453 Pony Pony can download additional files onto the infected system.164
S0150 POSHSPY POSHSPY downloads and executes additional PowerShell code and Windows binaries.388
S0139 PowerDuke PowerDuke has a command to download a file.299
S1173 PowerExchange PowerExchange can decode Base64-encoded files and call WriteAllBytes to write the files to compromised hosts.80
S1012 PowerLess PowerLess can download additional payloads to a compromised host.189
S0685 PowerPunch PowerPunch can download payloads from adversary infrastructure.81
S0145 POWERSOURCE POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.414
S0223 POWERSTATS POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.411
S0184 POWRUNER POWRUNER can download or upload files from its C2 server.394
S0613 PS1 CostaBricks can download additional payloads onto a compromised host.66
S0078 Psylo Psylo has a command to download a file to the system from its C2 server.202
S0147 Pteranodon Pteranodon can download and execute additional files.152153154
S1228 PUBLOAD PUBLOAD has acted as a stager that can download the next-stage payload from its C2 server.3536373940 PUBLOAD has also delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems.38
S0196 PUNCHBUGGY PUNCHBUGGY can download additional files and payloads to compromised hosts.297298
S0192 Pupy Pupy can upload and download to/from a victim machine.8
S0650 QakBot QakBot has the ability to download additional components and malware.359355360356358357
C0055 Quad7 Activity Quad7 Activity has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.601
S0262 QuasarRAT QuasarRAT can download files to the victim’s machine and execute them.1314
S0686 QuietSieve QuietSieve can download and execute payloads on a target host.81
S1148 Raccoon Stealer Raccoon Stealer downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.230229
S0629 RainyDay RainyDay can download files to a compromised host.77
G0075 Rancor Rancor has downloaded additional malware, including by using certutil.51
S0055 RARSTONE RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.190
S1130 Raspberry Robin Raspberry Robin retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim’s %AppData% folder.197196
S0241 RATANKBA RATANKBA uploads and downloads information.422423
S0662 RCSession RCSession has the ability to drop additional files to an infected machine.227
S0495 RDAT RDAT can download files via DNS.361
S0153 RedLeaves RedLeaves is capable of downloading a file from a specified URL.458
S1240 RedLine Stealer RedLine Stealer has the ability download additional payloads.315316
C0056 RedPenguin During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.609
S0511 RegDuke RegDuke can download files from C2.120
S1187 reGeorg reGeorg has the ability to download files to targeted systems.58
S0332 Remcos Remcos can upload and download files to and from the victim’s machine.22
S0166 RemoteCMD RemoteCMD copies a file over to the remote system before execution.372
S0592 RemoteUtilities RemoteUtilities can upload and download files to and from a target machine.31
S0125 Remsec Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.278279
S0379 Revenge RAT Revenge RAT has the ability to upload and download files.99
S0496 REvil REvil can download a copy of itself from an attacker controlled IP address to the victim machine.352353354
S0258 RGDoor RGDoor uploads and downloads files to and from the victim’s machine.445
S1222 RIFLESPINE RIFLESPINE can download and execute files.195
G0106 Rocke Rocke used malware to download additional malicious files to the target system.503
S0270 RogueRobin RogueRobin can save a new file to the system from the C2 server.105106
S0240 ROKRAT ROKRAT can retrieve additional malicious payloads from its C2 server.307308309310
S0148 RTM RTM can download additional files.403404
S0085 S-Type S-Type can download additional files onto a compromised host.101
S1018 Saint Bot Saint Bot can download additional files onto a compromised host.158
S0074 Sakula Sakula has the capability to download files.143
S1168 SampleCheck5000 SampleCheck5000 can download additional payloads to compromised hosts.160178
S1099 Samurai Samurai has been used to deploy other malware including Ninja.132
G0034 Sandworm Team Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.582583
S1085 Sardonic Sardonic has the ability to upload additional malicious files to a compromised machine.187
G1015 Scattered Spider Scattered Spider has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.476
S0461 SDBbot SDBbot has the ability to download a DLL from C2 to a compromised host.271
S0053 SeaDuke SeaDuke is capable of uploading and downloading files.206
S0345 Seasalt Seasalt has a command to download additional files.259259
S0185 SEASHARPEE SEASHARPEE can download remote files onto victims.49
S0382 ServHelper ServHelper may download additional files to execute.172173
S0639 Seth-Locker Seth-Locker has the ability to download and execute files on a compromised host.84
S0596 ShadowPad ShadowPad has downloaded code from a C2 server.462
C0045 ShadowRay During ShadowRay, threat actors downloaded and executed the XMRig miner on targeted hosts.604
S0140 Shamoon Shamoon can download an executable to run on the victim.162
C0058 SharePoint ToolShell Exploitation During SharePoint ToolShell Exploitation, threat actors used a loader to download and execute ransomware.612
S1019 Shark Shark can download additional files from its C2 via HTTP or DNS.4645
S1089 SharpDisco SharpDisco has been used to download a Python interpreter to C:\Users\Public\WinTN\WinTN.exe as well as other plugins from external sources.74
S0546 SharpStage SharpStage has the ability to download and execute additional payloads via a DropBox API.251252
S0450 SHARPSTATS SHARPSTATS has the ability to upload and download files.300
S0444 ShimRat ShimRat can download additional files.7
S0445 ShimRatReporter ShimRatReporter had the ability to download additional payloads.7
S0217 SHUTTERSPEED SHUTTERSPEED can download and execute an arbitary executable.130
S0589 Sibot Sibot can download and execute a payload onto a compromised system.303
G1008 SideCopy SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.60
S0610 SideTwist SideTwist has the ability to download additional files.232
G0121 Sidewinder Sidewinder has used LNK files to download remote files to the victim’s network.504505
G0091 Silence Silence has downloaded additional modules and malware to victim’s machines.540
S0692 SILENTTRINITY SILENTTRINITY can load additional files and tools, including Mimikatz.9
S0468 Skidmap Skidmap has the ability to download files on an infected host.98
S1110 SLIGHTPULSE RAPIDPULSE can transfer files to and from compromised hosts.214
S0633 Sliver Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the upload command.1920
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has downloaded files onto a victim machine.327
S0218 SLOWDRIFT SLOWDRIFT downloads additional payloads.130
S1035 Small Sieve Small Sieve has the ability to download files.131
S0226 Smoke Loader Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.188
S0649 SMOKEDHAM SMOKEDHAM has used Powershell to download UltraVNC and ngrok from third-party file sharing sites.177
S1086 Snip3 Snip3 can download additional payloads to compromised systems.324323
S1124 SocGholish SocGholish can download additional malware to infected hosts.175176
S0627 SodaMaster SodaMaster has the ability to download additional payloads from C2 to the targeted system.44
S1166 Solar Solar has the ability to download and execute files.160
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access.440
S0615 SombRAT SombRAT has the ability to download and execute additional payloads.66215216
S0516 SoreFang SoreFang can download additional payloads from C2.5253
S0374 SpeakUp SpeakUp downloads and executes additional files from a remote server. 95
S1140 Spica Spica can upload and download files to and from compromised hosts.205
S0646 SpicyOmelette SpicyOmelette can download malicious files from threat actor controlled AWS URL’s.273
S0390 SQLRat SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.96
S1030 Squirrelwaffle Squirrelwaffle has downloaded and executed additional encoded payloads.224225
S1112 STEADYPULSE STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.448
S0380 StoneDrill StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.69
G1046 Storm-1811 Storm-1811 has used scripted cURL commands, BITSAdmin, and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices.534536535
S1183 StrelaStealer StrelaStealer installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.417
S1034 StrifeWater StrifeWater can download updates and auxiliary modules.453
S0491 StrongPity StrongPity can download files to specified targets.402
S0559 SUNBURST SUNBURST delivered different payloads, including TEARDROP in at least one instance.440
S1064 SVCReady SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.165
S0663 SysUpdate SysUpdate has the ability to download files to a compromised host.34258
G1018 TA2541
TA2541 has used malicious scripts and macros with the ability to download additional payloads.487
G0092 TA505 TA505 has downloaded additional malware to execute on victim systems.553173552
G0127 TA551 TA551 has retrieved DLLs and installer binaries for malware execution from C2.563
S0011 Taidoor Taidoor has downloaded additional files onto a compromised host.223
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can download additional modules from its C2 server.321
S1193 TAMECAT TAMECAT has used wget and curl to download additional content.122
S0164 TDTESS TDTESS has a command to download and execute an additional file.368
G0139 TeamTNT TeamTNT has the curl and wget commands as well as batch scripts to download new tools.532531
S0595 ThiefQuest ThiefQuest can download and execute payloads in-memory or from disk.442
G0027 Threat Group-3390 Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil, onto a compromised host .59522
S0665 ThreatNeedle ThreatNeedle can download additional tools to enable lateral movement.193
S0668 TinyTurla TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.253
S0671 Tomiris Tomiris can download files and execute them on a victim’s system.333
S1239 TONESHELL TONESHELL has the ability to download additional files to the victim device.200
G0131 Tonto Team Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.589
S0266 TrickBot TrickBot downloads several additional files and saves them to the victim’s machine.424425
S0094 Trojan.Karagany Trojan.Karagany can upload, download, and execute files on the victim.248249
G0081 Tropic Trooper Tropic Trooper has used a delivered trojan to download additional files.475
S0436 TSCookie TSCookie has the ability to upload and download files to and from the infected host.97
S0647 Turian Turian can download additional files and tools from its C2.390
G0010 Turla Turla has used shellcode to download Meterpreter after compromising a victim.491
S0199 TURNEDUP TURNEDUP is capable of downloading additional files.73
S0263 TYPEFRAME TYPEFRAME can upload and download files to the victim’s machine.171
S0333 UBoatRAT UBoatRAT can upload and download files to the victim’s machine.443
S0130 Unknown Logger Unknown Logger is capable of downloading remote files.141
S0275 UPPERCUT UPPERCUT can download and upload files to and from the victim’s machine.344
S0022 Uroburos Uroburos can use a Put command to write files to an infected machine.371
S0386 Ursnif Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.5657
S0476 Valak Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.283284
S0636 VaporRage VaporRage has the ability to download malicious shellcode to compromised systems.148
S0207 Vasport Vasport can download files.61
S0442 VBShower VBShower has the ability to download VBS files to the target computer.466
S0257 VERMIN VERMIN can download and upload files to the victim’s machine.420
S1217 VIRTUALPITA VIRTUALPITA has the ability to upload and download files.238
G0123 Volatile Cedar Volatile Cedar can deploy additional tools.418
S0180 Volgmer Volgmer can download remote files and additional payloads to the victim’s machine.246245247
G1017 Volt Typhoon
Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.572
S0670 WarzoneRAT WarzoneRAT can download and execute additional files.128
C0037 Water Curupira Pikabot Distribution Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine’s temporary directory.594
S0579 Waterbear Waterbear can receive and load executables from remote C2 servers.209
S0109 WEBC2 WEBC2 can download and execute a file.346
S0515 WellMail WellMail can receive data and executable scripts from C2.50
S0514 WellMess WellMess can write files to a compromised host.218219
S0689 WhisperGate WhisperGate can download additional stages of malware from a Discord CDN channel.451450449452
G0107 Whitefly Whitefly has the ability to download additional tools from the C2.485
S0206 Wiarp Wiarp creates a backdoor through which remote attackers can download files.64
G0112 Windshift Windshift has used tools to deploy additional payloads to compromised hosts.562
S0430 Winnti for Linux Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. 305
S0141 Winnti for Windows The Winnti for Windows dropper can place malicious payloads on targeted systems.364
G0044 Winnti Group Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.558
G1035 Winter Vivern Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.551
S1115 WIREFIRE WIREFIRE has the ability to download files to compromised devices.159
G0090 WIRTE WIRTE has downloaded PowerShell code from the C2 server to be executed.573
G0102 Wizard Spider Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.545
S1065 Woody RAT Woody RAT can download files from its C2 server, including the .NET DLLs, WoodySharpExecutor and WoodyPowerSession.291
S0341 Xbash Xbash can download additional malicious files from its C2 server.276
S0653 xCaon xCaon has a command to download files to the victim’s machine.109
S0658 XCSSET XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://” & domain & “/agent/scripts/” & moduleName & “.applescript.137
S1248 XORIndex Loader XORIndex Loader has been used to download a malicious payload to include BeaverTail.125
S0388 YAHOYAH YAHOYAH uses HTTP GET requests to download other files that are executed in memory.85
S0251 Zebrocy Zebrocy obtains additional code to execute on the victim’s machine, including the downloading of a secondary payload.113114115116
S0230 ZeroT ZeroT can download additional payloads onto the victim.391
S0330 Zeus Panda Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.191
S1114 ZIPLINE ZIPLINE can download files to be saved on the compromised system.15942
G0128 ZIRCONIUM ZIRCONIUM has used tools to download malicious files to compromised hosts.578
S0086 ZLib ZLib has the ability to download files.101
S0672 Zox Zox can download files to a compromised machine.201
S0412 ZxShell ZxShell has a command to transfer files from a remote host.467
S1013 ZxxZ ZxxZ can download and execute additional files.55

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic Use network filtering to block outbound traffic from compromised systems to unapproved external destinations. Restricting access to known, trusted IP addresses and protocols can prevent attackers from downloading malicious tools or payloads onto compromised servers after gaining initial access.
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.4

References

  1. Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the “search-ms” URI Protocol Handler. Retrieved March 15, 2024. 

  2. COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises. (2023, May 25). Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar, Nathan Brubaker. Retrieved March 18, 2025. 

  3. David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023. 

  4. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  5. LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022. 

  6. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. 

  7. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  8. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  9. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  10. Microsoft. (n.d.). Copy. Retrieved April 26, 2016. 

  11. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  12. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. 

  13. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  14. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  15. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  16. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. 

  17. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017. 

  18. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019. 

  19. BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021. 

  20. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025. 

  21. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018. 

  22. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. 

  23. Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022. 

  24. N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022. 

  25. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019. 

  26. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  27. Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023. 

  28. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  29. Elkins, T. (2024, July 24). Malware Campaign Lures Users With Fake W2 Form. Retrieved September 13, 2024. 

  30. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  31. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  32. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  33. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  34. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  35. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025. 

  36. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. 

  37. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  38. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025. 

  39. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. 

  40. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. 

  41. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024. 

  42. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. 

  43. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  44. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  45. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  46. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  47. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  48. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  49. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  50. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. 

  51. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  52. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  53. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. 

  54. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. 

  55. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  56. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. 

  57. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. 

  58. L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024. 

  59. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  60. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  61. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018. 

  62. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  63. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  64. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018. 

  65. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018. 

  66. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  67. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. 

  68. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  69. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  70. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  71. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. 

  72. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  73. O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. 

  74. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  75. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024. 

  76. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  77. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  78. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  79. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  80. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024. 

  81. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  82. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  83. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  84. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021. 

  85. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  86. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved November 17, 2024. 

  87. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019. 

  88. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  89. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024. 

  90. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  91. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  92. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  93. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  94. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  95. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. 

  96. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  97. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  98. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  99. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  100. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  101. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  102. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  103. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  104. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  105. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  106. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. 

  107. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  108. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  109. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  110. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  111. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. 

  112. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  113. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  114. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  115. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  116. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  117. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  118. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  119. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. 

  120. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  121. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  122. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran’s APT42 Operations. Retrieved October 9, 2024. 

  123. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  124. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025. 

  125. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. 

  126. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. 

  127. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  128. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  129. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  130. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. 

  131. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. 

  132. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  133. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. 

  134. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  135. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. 

  136. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  137. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  138. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  139. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. 

  140. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. 

  141. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  142. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  143. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  144. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  145. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  146. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. 

  147. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  148. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  149. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. 

  150. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  151. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  152. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  153. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  154. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  155. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. 

  156. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  157. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. 

  158. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  159. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. 

  160. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  161. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. 

  162. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. 

  163. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  164. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  165. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  166. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  167. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. 

  168. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. 

  169. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. 

  170. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  171. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  172. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  173. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.. 

  174. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016. 

  175. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024. 

  176. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. 

  177. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  178. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. 

  179. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  180. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  181. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. 

  182. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  183. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  184. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  185. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. 

  186. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  187. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. 

  188. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. 

  189. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  190. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015. 

  191. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  192. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  193. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  194. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  195. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  196. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024. 

  197. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024. 

  198. Immersive Content Team. (2024, April 9). Havoc C2 Framework – A Defensive Operator’s Guide. Retrieved August 13, 2025. 

  199. Ungur, P. (n.d.). HAVOC. Retrieved August 4, 2025. 

  200. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  201. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  202. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  203. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  204. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  205. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024. 

  206. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. 

  207. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. 

  208. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  209. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  210. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. 

  211. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. 

  212. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  213. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  214. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  215. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  216. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. 

  217. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  218. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  219. Süleyman Özarslan, PhD; Pincus Security Inc.. (2020, July 14). An Analysis of Emotet Malware: PowerShell Unobfuscation. Retrieved November 25, 2024. 

  220. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  221. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  222. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. 

  223. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  224. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  225. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  226. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  227. Kaspersky Lab’s Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved November 17, 2024. 

  228. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  229. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  230. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. 

  231. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  232. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  233. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  234. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  235. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  236. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. 

  237. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  238. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. 

  239. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  240. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  241. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  242. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  243. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. 

  244. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  245. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. 

  246. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. 

  247. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  248. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  249. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  250. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  251. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  252. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  253. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. 

  254. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  255. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019. 

  256. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  257. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  258. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  259. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  260. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  261. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling. Retrieved September 8, 2021. 

  262. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  263. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  264. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  265. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025. 

  266. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  267. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. 

  268. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  269. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  270. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  271. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  272. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  273. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. 

  274. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. 

  275. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  276. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  277. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  278. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  279. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. 

  280. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  281. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  282. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  283. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. 

  284. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021. 

  285. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  286. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  287. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. 

  288. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  289. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  290. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  291. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  292. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024. 

  293. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  294. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  295. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  296. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  297. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  298. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  299. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  300. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  301. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  302. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. 

  303. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  304. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  305. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. 

  306. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  307. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  308. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  309. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  310. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved November 17, 2024. 

  311. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  312. George Glass. (2024, August 14). REDLINESTEALER Malware Driving the Initial Access Broker Market. Retrieved September 17, 2025. 

  313. Yair Herling. (2023, April 4). From ChatGPT to RedLine Stealer: The Dark Side of OpenAI and Google Bard. Retrieved September 17, 2025. 

  314. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  315. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  316. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  317. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. 

  318. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  319. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  320. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. 

  321. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. 

  322. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  323. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  324. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  325. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. 

  326. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018. 

  327. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021. 

  328. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  329. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. 

  330. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. 

  331. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. 

  332. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  333. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  334. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  335. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  336. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  337. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  338. Bourhis, P., Sekoia TDR. (2024, February 1). Unveiling the intricacies of DiceLoader. Retrieved May 14, 2025. 

  339. Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025. 

  340. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  341. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  342. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  343. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  344. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  345. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024. 

  346. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. 

  347. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. 

  348. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  349. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. 

  350. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  351. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  352. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  353. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  354. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024. 

  355. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  356. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  357. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024. 

  358. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  359. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  360. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  361. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  362. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. 

  363. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  364. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  365. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  366. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  367. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. 

  368. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  369. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  370. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024. 

  371. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  372. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  373. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  374. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  375. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  376. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  377. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. 

  378. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  379. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  380. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  381. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. 

  382. Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code …now notarized!? #2020. Retrieved September 13, 2021. 

  383. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. 

  384. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  385. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. 

  386. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  387. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  388. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  389. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  390. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  391. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  392. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  393. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. 

  394. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  395. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  396. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  397. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. 

  398. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  399. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  400. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  401. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  402. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  403. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  404. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  405. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. 

  406. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  407. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024. 

  408. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  409. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. 

  410. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024. 

  411. Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022. 

  412. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024. 

  413. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  414. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  415. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  416. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016. 

  417. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. 

  418. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. 

  419. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. 

  420. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. 

  421. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. 

  422. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. 

  423. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. 

  424. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  425. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  426. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  427. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  428. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  429. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  430. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. 

  431. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  432. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  433. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024. 

  434. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. 

  435. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  436. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. 

  437. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. 

  438. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. 

  439. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  440. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. 

  441. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  442. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  443. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. 

  444. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  445. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  446. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022. 

  447. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  448. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  449. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  450. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  451. Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. 

  452. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  453. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  454. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  455. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  456. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  457. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021. 

  458. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  459. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. 

  460. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016. 

  461. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. 

  462. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  463. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  464. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. 

  465. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  466. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  467. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. 

  468. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. 

  469. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  470. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  471. Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025. 

  472. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024. 

  473. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. 

  474. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024. 

  475. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  476. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  477. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  478. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021. 

  479. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018. 

  480. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. 

  481. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. 

  482. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. 

  483. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  484. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  485. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025. 

  486. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. 

  487. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  488. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  489. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. 

  490. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. 

  491. Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025. 

  492. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. 

  493. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  494. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  495. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  496. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. 

  497. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. 

  498. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  499. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  500. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. 

  501. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  502. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  503. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  504. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  505. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. 

  506. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024. 

  507. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  508. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  509. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  510. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  511. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  512. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  513. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  514. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  515. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  516. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  517. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. 

  518. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. 

  519. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025. 

  520. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025. 

  521. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  522. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  523. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. 

  524. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  525. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  526. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. 

  527. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024. 

  528. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025. 

  529. The Red Canary Team. (2024, June 20). Intelligence Insights: June 2024. Retrieved March 14, 2025. 

  530. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. 

  531. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. 

  532. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. 

  533. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. 

  534. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  535. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  536. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. 

  537. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  538. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. 

  539. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  540. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. 

  541. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022. 

  542. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  543. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018. 

  544. Gemini Advisory. (2022, January 13). FIN7 Uses Flash Drives to Spread Remote Access Trojan. Retrieved May 14, 2025. 

  545. Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024. 

  546. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019. 

  547. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  548. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. 

  549. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  550. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. 

  551. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  552. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  553. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  554. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. 

  555. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  556. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

  557. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. 

  558. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  559. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  560. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  561. Secureworks Counter Threat Unit Research Team. (2022, April 27). BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX. Retrieved September 9, 2025. 

  562. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025. 

  563. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  564. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  565. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021. 

  566. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  567. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. 

  568. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  569. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024. 

  570. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  571. Kaspersky Lab’s Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016. 

  572. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  573. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024. 

  574. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. 

  575. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  576. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  577. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  578. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. 

  579. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021. 

  580. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. 

  581. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. 

  582. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. 

  583. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. 

  584. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  585. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  586. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. 

  587. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  588. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024. 

  589. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  590. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024. 

  591. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025. 

  592. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024. 

  593. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024. 

  594. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. 

  595. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025. 

  596. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  597. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. 

  598. Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024. 

  599. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  600. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  601. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  602. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. 

  603. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. 

  604. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  605. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. 

  606. Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025. 

  607. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  608. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  609. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.