Skip to content

T1106 Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.1510 These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.

Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.4711 For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.126 This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.1398

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.14213

Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.5 Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.

Item Value
ID T1106
Sub-techniques
Tactics TA0002
Platforms Linux, Windows, macOS
Version 2.3
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL is capable of starting a process using CreateProcess.192
S1129 Akira Akira executes native Windows functions such as GetFileAttributesW and GetSystemInfo.167
S1025 Amadey Amadey has used a variety of Windows API calls, including GetComputerNameA, GetUserNameA, and CreateProcessA.70
S0622 AppleSeed AppleSeed has the ability to use multiple dynamically resolved API calls.147
G0067 APT37 APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.240
G0082 APT38 APT38 has used the Windows API to execute code within a victim’s system.244
S0456 Aria-body Aria-body has the ability to launch files using ShellExecute.56
S1087 AsyncRAT AsyncRAT has the ability to use OS APIs including CheckRemoteDebuggerPresent.23
S0438 Attor Attor’s dispatcher has used CreateProcessW API for execution.219
S0640 Avaddon Avaddon has used the Windows Crypto API to generate an AES key.99
S1053 AvosLocker AvosLocker has used a variety of Windows API calls, including NtCurrentPeb and GetLogicalDrives.60
S0638 Babuk Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.484950
S0475 BackConfig BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.61
S0606 Bad Rabbit Bad Rabbit has used various Windows API calls.180
S1081 BADHATCH BADHATCH can utilize Native API functions such as, ToolHelp32 and Rt1AdjustPrivilege to enable SeDebugPrivilege on a compromised machine.121
S0128 BADNEWS BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.201202
S0234 Bandook Bandook has used the ShellExecuteW() function call.184
S0239 Bankshot Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().125
S0534 Bazar Bazar can use various APIs to allocate memory and facilitate code execution/injection.214
S0470 BBK BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.88
S0574 BendyBear BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.165
S0268 Bisonal Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.38
S0570 BitPaymer BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW.221
S1070 Black Basta Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.200198196197199
S1180 BlackByte Ransomware BlackByte Ransomware uses the SetThreadExecutionState API to prevent the victim system from entering sleep.189
G0098 BlackTech BlackTech has used built-in API functions.236
S0521 BloodHound BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.26
S1226 BOOKWORM BOOKWORM has used various Windows API calls during execution and defense evasion.145 146 BOOKWORM has created a buffer on the heap using HeapCreate and HeapAlloc which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as EnumChildWindows or EnumSystemLanguageGroupsA. 146
S0651 BoxCaon BoxCaon has used Windows API calls to obtain information about the compromised host.79
S1063 Brute Ratel C4 Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.3029
S0471 build_downer build_downer has the ability to use the WinExec API to execute malware on a compromised host.88
S1039 Bumblebee Bumblebee can use multiple Native APIs.142143
S0693 CaddyWiper CaddyWiper has the ability to dynamically resolve and use APIs, including SeTakeOwnershipPrivilege.215
S1237 CANONSTAGER CANONSTAGER has leveraged Native API calls to execute code within the victim’s system including GetCurrentDirectoryW, RegisterClassW and CreateWindowExW.222 CANONSTAGER also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload.222
S0484 Carberp Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.191
S0631 Chaes Chaes used the CreateFileW() API function with read permissions to access downloaded payloads.69
G0114 Chimera Chimera has used direct Windows system calls by leveraging Dumpert.235
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can use Windows APIs including LoadLibrary and GetProcAddress.83
S0667 Chrommme Chrommme can use Windows API including WinExec for execution.166
S1236 CLAIMLOADER CLAIMLOADER has used various Windows API calls during execution, when establishing persistence and defense evasion.7576 CLAIMLOADER has also leveraged the legitimate API functions to run its shellcode through the callback function, including GetDC() and EnumFontsW().75 CLAIMLOADER established persistence by utilizing the API SHSetValue().75 CLAIMLOADER has utilized APIs with callback functions such as EnumpropsExW, EnumSystemLanguageGroupsA, and EnumCalendarInfoExW.76
S0611 Clop Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().5455
S0154 Cobalt Strike Cobalt Strike’s Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe444345
S0126 ComRAT ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.136
S0575 Conti Conti has used API calls during execution.224225
S0614 CostaBricks CostaBricks has used a number of API calls, including VirtualAlloc, VirtualFree, LoadLibraryA, GetProcAddress, and ExitProcess.87
S0625 Cuba Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.51
S0687 Cyclops Blink Cyclops Blink can use various Linux API functions including those for execution and discovery.37
S1111 DarkGate DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.170 DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.169 DarkGate has also used the CreateToolhelp32Snapshot, GetFileAttributesA and CreateProcessA functions to obtain a list of running processes, to check for security products and to execute its malware.171
S1066 DarkTortilla DarkTortilla can use a variety of API calls for persistence and defense evasion.178
S1033 DCSrv DCSrv has used various Windows API functions, including DeviceIoControl, as part of its encryption process.119
S1052 DEADEYE DEADEYE can execute the GetComputerNameA and GetComputerNameExA WinAPI functions.115
S0354 Denis Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.168
S0659 Diavol Diavol has used several API calls like GetLogicalDriveStrings, SleepEx, SystemParametersInfoAPI, CryptEncrypt, and others to execute parts of its attack.181
S0695 Donut Donut code modules use various API functions to load and inject code.28
S0694 DRATzarus DRATzarus can use various API calls to see if it is running in a sandbox.157
S0384 Dridex Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.58
S0554 Egregor Egregor has used the Windows API to make detection more difficult.106
S1247 Embargo Embargo has leveraged Windows Native API functions to execute its operations.82
S0367 Emotet Emotet has used CreateProcess to create a new process to run its executable and WNetEnumResourceW to enumerate non-hidden shares.226
S0363 Empire Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.25
S0396 EvilBunny EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.33
S1179 Exbyte Exbyte calls ShellExecuteW with the IpOperation parameter RunAs to launch explorer.exe with elevated privileges.34
S0569 Explosive Explosive has a function to call the OpenClipboard wrapper.177
S0512 FatDuke FatDuke can call ShellExecuteW to open the default browser on the URL localhost.112
S0696 Flagpro Flagpro can use Native API to enable obfuscation including GetLastError and GetTickCount.195
S0661 FoggyWeb FoggyWeb’s loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.138
S1044 FunnyDream FunnyDream can use Native API for defense evasion, discovery, and collection.31
G0047 Gamaredon Group Gamaredon Group malware has used CreateProcess to launch additional malicious components.241242
S0666 Gelsemium Gelsemium has the ability to use various Windows API functions to perform tasks.166
S0032 gh0st RAT gh0st RAT has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.160
S0493 GoldenSpy GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.135
S0477 Goopy Goopy has the ability to enumerate the infected system’s user name via GetUserNameW.168
G0078 Gorgon Group Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.233
S0531 Grandoreiro Grandoreiro can execute through the WinExec API.194
S0632 GrimAgent GrimAgent can use Native API including GetProcAddress and ShellExecuteW.118
S0561 GuLoader GuLoader can use a number of different APIs for discovery and execution.105
S0499 Hancitor Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.98
S1229 Havoc Havoc can use NtAllocateVirtualMemory and NtCreateThreadEx to aid process injection.220
S0391 HAWKBALL HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.216
S0697 HermeticWiper HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.149150144148
S0698 HermeticWizard HermeticWizard can connect to remote shares using WNetAddConnection2W.144
G0126 Higaisa Higaisa has called various native OS APIs.229
S0431 HotCroissant HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.126
S0398 HyperBro HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.182
S0537 HyperStack HyperStack can use Windows API’s ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.120
S0483 IcedID IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.141
S1152 IMAPLoader IMAPLoader imports native Windows APIs such as GetConsoleWindow and ShowWindow.78
S0434 Imminent Monitor Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.24
S1139 INC Ransomware INC Ransomware can use the API DeviceIoControl to resize the allocated space for and cause the deletion of volume shadow copy snapshots.77
S0259 InnaputRAT InnaputRAT uses the API call ShellExecuteW for execution.134
S0260 InvisiMole InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.228
S1190 Kapeka Kapeka utilizes WinAPI calls to gather victim system information.205
S1020 Kevin Kevin can use the ShowWindow API to avoid detection.156
S0607 KillDisk KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.62
S0669 KOCTOPUS KOCTOPUS can use the LoadResource and CreateProcessW APIs for execution.185
S0356 KONNI KONNI has hardcoded API calls within its functions to use on the victim’s machine.151
S1160 Latrodectus Latrodectus has used multiple Windows API post exploitation including GetAdaptersInfo, CreateToolhelp32Snapshot, and CreateProcessW.155154
G0032 Lazarus Group Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.230 Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.231232
S0395 LightNeuron LightNeuron is capable of starting a process using CreateProcess.175
S0680 LitePower LitePower can use various API calls.140
S0681 Lizar Lizar has used various Windows API functions on a victim’s machine.91
S1202 LockBit 3.0 LockBit 3.0 has the ability to directly call native Windows API items during execution.9695
S0447 Lokibot Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.173
S1016 MacMa MacMa has used macOS API functions to perform tasks.131132
S1060 Mafalda Mafalda can use a variety of API calls.128
S1169 Mango Mango has the ability to use Native APIs.206
S0652 MarkiRAT MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.74
S0449 Maze Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.122
G1051 Medusa Group Medusa Group has leveraged Windows Native API functions to execute payloads.130
S1244 Medusa Ransomware Medusa Ransomware has leveraged Windows Native API functions to execute payloads.130
S0576 MegaCortex After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.186
G0045 menuPass menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.239
S1059 metaMain metaMain can execute an operator-provided Windows command by leveraging functions such as WinExec, WriteFile, and ReadFile.128129
S0455 Metamorfo Metamorfo has used native WINAPI calls.8485
S0688 Meteor Meteor can use WinAPI to remove a victim machine from an Active Directory domain.127
S1015 Milan Milan can use the API DnsQuery_A for DNS resolution.156
S0084 Mis-Type Mis-Type has used Windows API calls, including NetUserAdd and NetUserDel.39
S0083 Misdat Misdat has used Windows APIs, including ExitWindowsEx and GetKeyboardType.39
S1122 Mispadu Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.103104
S0256 Mosquito Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.218
G0129 Mustang Panda Mustang Panda has used various Windows API calls during execution and defense evasion.208145152757620315322214624366111
S0630 Nebulae Nebulae has the ability to use CreateProcess to execute a process.42
S0457 Netwalker Netwalker can use Windows API functions to inject the ransomware DLL.172
S0198 NETWIRE NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.188
S1090 NightClub NightClub can use multiple native APIs including GetKeyState, GetForegroundWindow, GetWindowThreadProcessId, and GetKeyboardLayout.73
S1100 Ninja The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.107108
S0385 njRAT njRAT has used the ShellExecute() function within a script.94
S1170 ODAgent ODAgent can pass commands using native APIs.102
S1172 OilBooster OilBooster has used the ShowWindow and CreateProcessW APIs.102
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim’s User-Agent and used the value to connect to their C2 server.230
C0006 Operation Honeybee During Operation Honeybee, the threat actors deployed malware that used API calls, including CreateProcessAsUser.248
C0013 Operation Sharpshooter During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().217
C0014 Operation Wocao During Operation Wocao, threat actors used the CreateProcessA and ShellExecute API functions to launch commands after being injected into a selected process.249
S1233 PAKLOG PAKLOG has used Windows API SetWindowsHookExW with idHook set to WH_KEYBOARD_LL and a custom hook procedure to support its keylogging functions.66
S1050 PcShare PcShare has used a variety of Windows API functions.31
S1145 Pikabot Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as CheckRemoteDebuggerPresent, NtQueryInformationProcess, ProcessDebugPort, and ProcessDebugFlags.123 Other Pikabot variants populate a global list of Windows API addresses from the NTDLL and KERNEL32 libraries, and references these items instead of calling the API items to obfuscate execution.124
S0517 Pillowmint Pillowmint has used multiple native Windows APIs to execute and conduct process injections.161
S0501 PipeMon PipeMon’s first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.212
S0435 PLEAD PLEAD can use ShellExecute to execute applications.190
S0013 PlugX PlugX can use the Windows API functions GetProcAddress, LoadLibrary, and CreateProcess to execute another process.208209210
S0518 PolyglotDuke PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.112
S0453 Pony Pony has used several Windows functions for various purposes.36
S1058 Prestige Prestige has used the Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection() functions to disable and restore file system redirection.158
S0147 Pteranodon Pteranodon has used various API calls.65
S1228 PUBLOAD PUBLOAD has used various Windows API calls during execution, when establishing persistence and defense evasion.15276 PUBLOAD stager leveraged Windows API functions with callback including GrayStringW, EnumDateFormatsA, and LineDDA to bypass anti-virus monitoring. 153 PUBLOAD has also utilized other native windows API functions with callback functions such as EnumChildWindows and EnumSystemLanguageGroupsA. 146
S0650 QakBot QakBot can use GetProcAddress to help delete malicious strings from memory.53
S1242 Qilin Qilin can attempt to log on to the local computer via LogonUserW and use GetLogicalDrives() and EnumResourceW() for discovery.9089
S1076 QUIETCANARY QUIETCANARY can call System.Net.HttpWebRequest to identify the default proxy configured on the victim computer.187
S0629 RainyDay The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.42
S0458 Ramsay Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.68
S0662 RCSession RCSession can use WinSock API for communication including WSASend and WSARecv.133
S0416 RDFSNIFFER RDFSNIFFER has used several Win32 API functions to interact with the victim machine.183
S0496 REvil REvil can use Native API for execution and to retrieve active services.113114
S0448 Rising Sun Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().217
S0240 ROKRAT ROKRAT can use a variety of API calls to execute shellcode.92
S1078 RotaJakiro When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the execvp API to help its dead process “resurrect”.86
S1073 Royal Royal can use multiple APIs for discovery, communication, and execution.193
S0148 RTM RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.162
S0446 Ryuk Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.57
S0085 S-Type S-Type has used Windows APIs, including GetKeyboardType, NetUserAdd, and NetUserDel.39
S1210 Sagerunex Sagerunex calls the WaitForSingleObject API function as part of time-check logic.93
S1018 Saint Bot Saint Bot has used different API calls, including GetProcAddress, VirtualAllocEx, WriteProcessMemory, CreateProcessA, and SetThreadContext.109110
S1099 Samurai Samurai has the ability to call Windows APIs.107
G0034 Sandworm Team Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection().158
S1085 Sardonic Sardonic has the ability to call Win32 API functions to determine if powershell.exe is running.176
S1089 SharpDisco SharpDisco can leverage Native APIs through plugins including GetLogicalDrives.73
S0444 ShimRat ShimRat has used Windows API functions to install the service and shim.32
S0445 ShimRatReporter ShimRatReporter used several Windows API functions to gather information from the infected system.32
G1008 SideCopy SideCopy has executed malware by calling the API function CreateProcessW.237
S0610 SideTwist SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information.47
G0091 Silence Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.246247
S0692 SILENTTRINITY SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.27
S0623 Siloscape Siloscape makes various native API calls.223
S0627 SodaMaster SodaMaster can use RegOpenKeyW to access the Registry.41
S0615 SombRAT SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.87
S1234 SplatCloak SplatCloak has utilized Native Windows API calls dynamically through ZwQuerySystemInformation.66
S1232 SplatDropper SplatDropper has utilized hashed Native Windows API calls.66
S1227 StarProxy StarProxy has used native windows API calls such as GetLocalTime() to retrieve system data.111
S1200 StealBit StealBit can use native APIs including LoadLibraryExA for execution and NtSetInformationProcess for defense evasion purposes.137
S1034 StrifeWater StrifeWater can use a variety of APIs for execution.67
S0603 Stuxnet Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.204
S0562 SUNSPOT SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process.163
S1064 SVCReady SVCReady can use Windows API calls to gather information from an infected host.159
S0242 SynAck SynAck parses the export tables of system DLLs to locate and call various Windows API functions.116117
S0663 SysUpdate SysUpdate can call the GetNetworkParams API as part of its C2 establishment process.213
G0092 TA505 TA505 has deployed payloads that use Windows API calls on a compromised host.245
S0011 Taidoor Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.8081
S0595 ThiefQuest ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.207
S0668 TinyTurla TinyTurla has used WinHTTP, CreateProcess, and other APIs for C2 communications and other functions.59
G1022 ToddyCat ToddyCat has used WinExec to execute commands received from C2 on compromised hosts.108
S1239 TONESHELL TONESHELL has utilized Native Windows API functions such as WriteProcessMemory and CreateRemoteThreadEx.203 TONESHELL has also utilized Windows API functions for creating seed values including CoCreateGuid and GetTickCount.76111 TONESHELL has leveraged the legitimate API function EnumSystemLocalesA to run its shellcode through the callback function.146
S0678 Torisma Torisma has used various Windows API calls.40
S0266 TrickBot TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.71 TrickBot has also used Nt* API functions to perform Process Injection.72
G0081 Tropic Trooper Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.238
G0010 Turla Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.234
S0022 Uroburos Uroburos can use native Windows APIs including GetHostByName.52
S0386 Ursnif Ursnif has used CreateProcessW to create child processes.64
S0180 Volgmer Volgmer executes payloads using the Windows API call CreateProcessW().97
S0670 WarzoneRAT WarzoneRAT can use a variety of API calls on a compromised host.164
S0612 WastedLocker WastedLocker’s custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.174
S0579 Waterbear Waterbear can leverage API functions for execution.211
S0689 WhisperGate WhisperGate has used the ExitWindowsEx to flush file buffers to disk and stop running processes and other API calls.100101
S0466 WindTail WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.63
S0141 Winnti for Windows Winnti for Windows can use Native API to create a new process and to start services.35
S1065 Woody RAT Woody RAT can use multiple native APIs, including WriteProcessMemory, CreateProcess, and CreateRemoteThread for process injection.179
S0161 XAgentOSX XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.227
S0653 xCaon xCaon has leveraged native OS function calls to retrieve victim’s network adapter’s information using GetAdapterInfo() API.79
S1207 XLoader XLoader uses the native Windows API for functionality, including defense evasion.139
S1151 ZeroCleare ZeroCleare can call the GetSystemDirectoryW API to locate the system directory.83
S0412 ZxShell ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler
S1013 ZxxZ ZxxZ has used API functions such as Process32First, Process32Next, and ShellExecuteA.46

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. 22
M1038 Execution Prevention Identify and block potentially malicious software executed that may be executed through this technique by using application control 16 tools, like Windows Defender Application Control18, AppLocker, 21 20 or Software Restriction Policies 17 where appropriate. 19

References

  1. Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020. 

  2. Apple. (n.d.). Core Services. Retrieved June 25, 2020. 

  3. Apple. (n.d.). Foundation. Retrieved July 1, 2020. 

  4. de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021. 

  5. Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023. 

  6. Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020. 

  7. Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021. 

  8. glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020. 

  9. Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020. 

  10. Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020. 

  11. MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. 

  12. Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024. 

  13. Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020. 

  14. Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020. 

  15. The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020. 

  16. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014. 

  17. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved September 12, 2024. 

  18. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019. 

  19. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016. 

  20. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016. 

  21. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. 

  22. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  23. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. 

  24. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  25. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  26. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. 

  27. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  28. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  29. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023. 

  30. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  31. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  32. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  33. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  34. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  35. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  36. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  37. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  38. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  39. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  40. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  41. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  42. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024. 

  43. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  44. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  45. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  46. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  47. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  48. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  49. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. 

  50. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  51. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  52. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  53. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. 

  54. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

  55. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  56. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  57. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021. 

  58. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  59. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. 

  60. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  61. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021. 

  62. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. 

  63. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019. 

  64. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  65. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  66. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  67. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  68. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  69. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  70. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  71. Joe Security. (2020, July 13). TrickBot’s new API-Hammering explained. Retrieved September 30, 2021. 

  72. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  73. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  74. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. 

  75. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  76. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. 

  77. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. 

  78. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  79. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. 

  80. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  81. Cyble. (2024, May 24). The Rust Revolution: New Embargo Ransomware Steps In. Retrieved October 19, 2025. 

  82. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  83. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  84. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  85. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023. 

  86. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  87. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  88. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025. 

  89. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025. 

  90. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  91. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  92. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. 

  93. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  94. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025. 

  95. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025. 

  96. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  97. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. 

  98. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021. 

  99. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  100. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024. 

  101. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. 

  102. Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024. 

  103. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. 

  104. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021. 

  105. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020. 

  106. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  107. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  108. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  109. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  110. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. 

  111. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  112. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  113. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  114. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  115. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. 

  116. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018. 

  117. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  118. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  119. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  120. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling. Retrieved September 8, 2021. 

  121. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  122. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024. 

  123. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024. 

  124. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  125. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020. 

  126. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  127. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  128. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  129. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  130. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  131. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. 

  132. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  133. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  134. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  135. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  136. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  137. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  138. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025. 

  139. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  140. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  141. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  142. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. 

  143. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  144. Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025. 

  145. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. 

  146. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  147. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  148. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. 

  149. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  150. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  151. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025. 

  152. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. 

  153. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  154. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. 

  155. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  156. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  157. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  158. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  159. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  160. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  161. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  162. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  163. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022. 

  164. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  165. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  166. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024. 

  167. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  168. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  169. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  170. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024. 

  171. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  172. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  173. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  174. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  175. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. 

  176. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  177. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  178. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  179. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021. 

  180. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  181. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  182. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  183. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  184. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  185. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  186. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. 

  187. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  188. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024. 

  189. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  190. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. 

  191. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  192. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  193. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  194. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  195. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. 

  196. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. 

  197. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024. 

  198. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023. 

  199. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. 

  200. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  201. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  202. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025. 

  203. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  204. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025. 

  205. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  206. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. 

  207. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  208. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  209. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015. 

  210. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  211. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  212. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  213. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  214. Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022. 

  215. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. 

  216. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  217. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  218. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  219. Ungur, P. (n.d.). HAVOC. Retrieved August 4, 2025. 

  220. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  221. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025. 

  222. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  223. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. 

  224. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  225. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023. 

  226. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  227. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  228. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  229. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  230. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  231. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  232. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  233. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  234. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. 

  235. Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022. 

  236. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  237. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  238. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  239. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  240. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  241. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. 

  242. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025. 

  243. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  244. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  245. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019. 

  246. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  247. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  248. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.