Skip to content

T1124 System Time Discovery

An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.981 These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.52

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using w32tm /tz.8 In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.12

On network devices, Network Device CLI commands such as show clock detail can be used to see the current time configuration.4 On ESXi servers, esxcli system clock get can be used for the same purpose.

In addition, system calls – such as time() – have been used to collect the current time on Linux devices.3 On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.116

This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job10, or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.7

Item Value
ID T1124
Sub-techniques
Tactics TA0007
Platforms ESXi, Linux, Network Devices, Windows, macOS
Version 1.5
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla can collect the timestamp from the victim’s machine.36
S0622 AppleSeed AppleSeed can pull a timestamp from the victim’s machine.97
S0373 Astaroth Astaroth collects the timestamp from the infected machine. 18
S1053 AvosLocker AvosLocker has checked the system time before and after encryption.98
S0344 Azorult Azorult can collect the time zone information from the system.7273
S1081 BADHATCH BADHATCH can obtain the DATETIME and UPTIME from a compromised machine.38
S0534 Bazar Bazar can collect the time on the compromised host.6061
S1246 BeaverTail BeaverTail has obtained and sent the current timestamp associated with the victim device to C2.63
S0574 BendyBear BendyBear has the ability to determine local time on a compromised host.82
S0017 BISCUIT BISCUIT has a command to collect the system UPTIME.65
S0268 Bisonal Bisonal can check the system time set on the infected host.96
S0657 BLUELIGHT BLUELIGHT can collect the local time on a compromised host.85
G0060 BRONZE BUTLER BRONZE BUTLER has used net time to check the local time on a target system.105
S0471 build_downer build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.54
C0015 C0015 During C0015, the threat actors used the command net view /all time to gather the local time of a compromised network.114
S0351 Cannon Cannon can collect the current time zone information from the victim’s machine.74
S0335 Carbon Carbon uses the command net time \127.0.0.1 to get information the system’s time.41
S1043 ccf32 ccf32 can determine the local time on targeted machines.37
G0114 Chimera Chimera has used time /t and net time \ip/hostname for system time discovery.108
S0660 Clambling Clambling can determine the current time.78
S0126 ComRAT ComRAT has checked the victim system’s date and time to perform tasks during business hours (9 to 5, Monday to Friday).81
S0608 Conficker Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.3334
S0115 Crimson Crimson has the ability to determine the date and time on a compromised host.44
G1012 CURIUM CURIUM deployed mechanisms to check system time information following strategic website compromise attacks.106
S1111 DarkGate DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host’s current date for the filename.75 DarkGate queries victim system epoch time during execution.75 DarkGate captures system time information as part of automated profiling on initial installation.76
G0012 Darkhotel Darkhotel malware can obtain system time from a compromised host.107
S0673 DarkWatchman DarkWatchman can collect time zone information and system UPTIME.49
S1033 DCSrv DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.58
S1134 DEADWOOD DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.77
S0694 DRATzarus DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to inspect system time.50
S1159 DUSTTRAP DUSTTRAP reads the infected system’s current time and writes it to a log file during execution.79
S0554 Egregor Egregor contains functionality to query the local/system time.42
S0091 Epic Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.28
S0396 EvilBunny EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.23
S0267 FELIXROOT FELIXROOT gathers the time zone information from the victim’s machine.66
G0046 FIN7 FIN7 has used the PowerShell script 3CF9.ps1 to execute net time.109
S1044 FunnyDream FunnyDream can check system time to help determine when changes were made to specified files.37
S0588 GoldMax GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.3132
S0531 Grandoreiro Grandoreiro can determine the time on the victim machine via IPinfo.48
S0237 GravityRAT GravityRAT can obtain the date and time of a system.35
S0690 Green Lambert Green Lambert can collect the date and time from a compromised host.9394
S0417 GRIFFON GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.39
G0126 Higaisa Higaisa used a function to gather the current time.103
S0376 HOPLIGHT HOPLIGHT has been observed collecting system time from victim machines.84
S0260 InvisiMole InvisiMole gathers the local system time from the victim’s machine.9091
S1051 KEYPLUG KEYPLUG can obtain the current tick count of an infected computer.25
G0032 Lazarus Group A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.88
S1244 Medusa Ransomware Medusa Ransomware has discovered device uptime through GetTickCount().86
S0455 Metamorfo Metamorfo uses JavaScript to get the system time.45
S0149 MoonWind MoonWind obtains the victim’s current time.64
S0039 Net The net time command can be used in Net to determine the local or remote system time.13
S1147 Nightdoor Nightdoor can identify the system local time information.68
S0353 NOKKI NOKKI can collect the current timestamp of the victim’s machine.47
S0439 Okrum Okrum can obtain the date and time of the compromised system.95
S0264 OopsIE OopsIE checks to see if the system is configured with “Daylight” time and checks for a specific region to be set for the timezone.89
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors used the net time command as part of their advanced reconnaissance.112
C0014 Operation Wocao During Operation Wocao, threat actors used the time command to retrieve the current time of a compromised system.113
S1233 PAKLOG PAKLOG has collected a timestamp to log the precise time a key was pressed, formatted as %Y-%m-%d %H:%M:%S.99
S0501 PipeMon PipeMon can send time zone information from a compromised host to C2.71
S0013 PlugX PlugX has identified system time through its GetSystemInfo command.43
S0139 PowerDuke PowerDuke has commands to get the time the machine was built, the time, and the time zone.59
S0238 Proxysvc As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.88
S1228 PUBLOAD PUBLOAD has collected the machine’s tick count through the use of GetTickCount.87
S0650 QakBot QakBot can identify the system time on a targeted host.40
S1148 Raccoon Stealer Raccoon Stealer gathers victim machine timezone information.5655
S0148 RTM RTM can obtain the victim time zone.46
S0596 ShadowPad ShadowPad has collected the current date and time of the victim system.21
S0140 Shamoon Shamoon obtains the system time and will only activate if it is greater than a preset date.1516
S0450 SHARPSTATS SHARPSTATS has the ability to identify the current date and time on the compromised host.92
S1178 ShrinkLocker ShrinkLocker retrieves a system timestamp that is used in generating an encryption key.17
G0121 Sidewinder Sidewinder has used tools to obtain the current system time.101
S0692 SILENTTRINITY SILENTTRINITY can collect start time information from a compromised host.14
S0615 SombRAT SombRAT can execute getinfo to discover the current time on a compromised host.2627
S1227 StarProxy StarProxy has utilized the windows API call GetLocalTime() to retrieve a SystemTime structure to generate a seed value.62
S0380 StoneDrill StoneDrill can obtain the current date and time of the victim machine.51
S1034 StrifeWater StrifeWater can collect the time zone from the victim’s machine.67
S0603 Stuxnet Stuxnet collects the time and date of a system when it is infected.83
S0559 SUNBURST SUNBURST collected device UPTIME.5253
S1064 SVCReady SVCReady can collect time zone information.69
S0098 T9000 T9000 gathers and beacons the system time during installation.24
S0011 Taidoor Taidoor can use GetLocalTime and GetSystemTime to collect system time.22
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can execute GetLocalTime for time discovery.80
S0467 TajMahal TajMahal has the ability to determine local time on a compromised host.57
G0089 The White Company The White Company has checked the current date on the victim system.111
S0678 Torisma Torisma can collect the current time on a victim machine.29
G0010 Turla Turla surveys a system upon check-in to discover the system time by using the net time command.28
G1048 UNC3886 UNC3886 has used installation scripts to collect the system time on targeted ESXi hosts.110
S0275 UPPERCUT UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.30
G1017 Volt Typhoon
Volt Typhoon has obtained the victim’s system timezone.102
S0466 WindTail WindTail has the ability to generate the current date and time.100
S0251 Zebrocy Zebrocy gathers the current time zone and date information from the system.1920
S0330 Zeus Panda Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.70
G0128 ZIRCONIUM ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.104

References

  1. Apple Support. (n.d.). About systemsetup in Remote Desktop. Retrieved March 27, 2024. 

  2. ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024. 

  3. Check Point Research. (2024, March 8). MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES. Retrieved March 27, 2024. 

  4. Cisco. (2023, March 6). show clock detail - Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022. 

  5. Cone, Matt. (2021, January 14). Synchronize your Mac’s Clock with a Time Server. Retrieved March 27, 2024. 

  6. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  7. Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021. 

  8. Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016. 

  9. Microsoft. (n.d.). System Time. Retrieved November 25, 2016. 

  10. Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016. 

  11. YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). The System Information Discovery Technique Explained - MITRE ATT&CK T1082. Retrieved March 27, 2024. 

  12. YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). Virtualization/Sandbox Evasion - How Attackers Avoid Malware Analysis. Retrieved December 26, 2023. 

  13. Microsoft. (n.d.). Net time. Retrieved November 25, 2016. 

  14. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  15. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. 

  16. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  17. Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024. 

  18. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. 

  19. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  20. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  21. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  22. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  23. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  24. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. 

  25. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  26. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  27. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  28. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  29. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  30. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  31. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  32. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  33. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. 

  34. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021. 

  35. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  36. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. 

  37. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  38. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. 

  39. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  40. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  41. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018. 

  42. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved November 17, 2024. 

  43. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  44. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  45. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  46. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  47. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  48. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  49. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  50. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  51. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  52. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  53. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  54. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  55. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  56. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  57. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  58. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  59. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  60. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  61. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  62. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. 

  63. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  64. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  65. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  66. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  67. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  68. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. 

  69. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  70. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  71. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  72. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  73. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. 

  74. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  75. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  76. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  77. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. 

  78. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  79. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  80. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  81. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  82. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  83. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  84. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  85. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  86. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  87. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  88. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  89. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  90. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  91. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  92. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  93. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. 

  94. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024. 

  95. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  96. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  97. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  98. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. 

  99. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  100. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019. 

  101. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  102. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  103. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  104. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  105. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  106. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. 

  107. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021. 

  108. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. 

  109. The BlackBerry Research and Intelligence Team. (2024, April 17). Threat Group FIN7 Targets the U.S. Automotive Industry. Retrieved May 1, 2025. 

  110. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. 

  111. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  112. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  113. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  114. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.