Skip to content

T1140 Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.3 Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.42

Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.1

Item Value
ID T1140
Sub-techniques
Tactics TA0005
Platforms ESXi, Linux, Windows, macOS
Version 1.4
Created 14 December 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0469 ABK ABK has the ability to decrypt AES encrypted payloads.84
S1028 Action RAT Action RAT can use Base64 to decode actor-controlled C2 server communications.12
S0331 Agent Tesla Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.199
G1030 Agrius Agrius has deployed base64-encoded variants of ASPXSpy to evade detection.207
S1025 Amadey Amadey has decoded antivirus name strings.279
S1133 Apostle Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims.207
S0584 AppleJeus AppleJeus has decoded files received from a C2.11
S0622 AppleSeed AppleSeed can decode its payload prior to execution.83
G0073 APT19 An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.366
G0007 APT28 An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.347348
C0051 APT28 Nearest Neighbor Campaign During APT28 Nearest Neighbor Campaign, APT28 unarchived data using the GUI version of WinRAR.371
G0082 APT38 APT38 has used the RC4 algorithm to decrypt configuration data. 328
G0087 APT39 APT39 has used malware to decrypt encrypted CAB files.320
C0046 ArcaneDoor ArcaneDoor involved the use of Base64 obfuscated scripts and commands.380
S0456 Aria-body Aria-body has the ability to decrypt the loader configuration and payload DLL.55
S0373 Astaroth Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. 7273
S0347 AuditCred AuditCred uses XOR and RC4 to perform decryption on the code functions.280
S0640 Avaddon Avaddon has decrypted encrypted strings.46
S0473 Avenger Avenger has the ability to decrypt files downloaded from C2.84
S1053 AvosLocker AvosLocker has deobfuscated XOR-encoded strings.137
S0344 Azorult Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.7071
S0638 Babuk Babuk has the ability to unpack itself into memory using XOR.3536
S0414 BabyShark BabyShark has the ability to decode downloaded files prior to execution.161
S0475 BackConfig BackConfig has used a custom routine to decrypt strings.293
S0642 BADFLICK BADFLICK can decode shellcode using a custom rotating XOR cipher.272
S0234 Bandook Bandook has decoded its PowerShell script.298
S0239 Bankshot Bankshot decodes embedded XOR strings.101
S0534 Bazar Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.282283
S0470 BBK BBK has the ability to decrypt AES encrypted payloads.84
S0127 BBSRAT BBSRAT uses Expand to decompress a CAB file into executable content.37
S0574 BendyBear BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.15
S0268 Bisonal Bisonal has decoded strings in the malware using XOR and RC4.9394
G1043 BlackByte BlackByte has encoded commands in base64-encoded sections concatenated together in PowerShell.357 BlackByte uses PowerShell commands to disable Windows Defender.356
S1180 BlackByte Ransomware BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file.275
S0520 BLINDINGCAN BLINDINGCAN has used AES and XOR to decrypt its DLLs.296
S1226 BOOKWORM BOOKWORM has decoded its Base64 encoded payload prior to execution.117 BOOKWORM has also encrypted files with RC4 and has decrypted its payload prior to execution.148
S0635 BoomBox BoomBox can decrypt AES-encrypted files downloaded from C2.42
S0415 BOOSTWRITE BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.21
G0060 BRONZE BUTLER BRONZE BUTLER downloads encoded payloads and decodes them on the victim.318
S1063 Brute Ratel C4 Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.7
S1039 Bumblebee Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.6768
S0482 Bundlore Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.129
S1118 BUSHWALK BUSHWALK can Base64 decode and RC4 decrypt malicious payloads sent through a web request’s command parameter.88292
C0017 C0017 During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.87
C0021 C0021 During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string 'FromBase'+0x40+'String', in place of FromBase64String which is normally used to decode base64.372373
S0335 Carbon Carbon decrypts task and configuration files for execution.162163
S0348 Cardinal RAT Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.246
S1224 CASTLETAP CASTLETAP can filter and deobfuscate an XOR encrypted activation string in the payload of an ICMP echo request.66
S0160 certutil certutil has been used to decode binaries hidden inside certificate files as Base64 information.3
S0631 Chaes Chaes has decrypted an AES encrypted binary file to trigger the download of other files.297
S0674 CharmPower CharmPower can decrypt downloaded modules prior to execution.90
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings.118
S1041 Chinoxy The Chinoxy dropping function can initiate decryption of its config file.8
S0667 Chrommme Chrommme can decrypt its encrypted internal code.28
G1021 Cinnamon Tempest Cinnamon Tempest has used weaponized DLLs to load and decrypt payloads.359
S1236 CLAIMLOADER CLAIMLOADER has decoded its payload prior to execution.295115
S0660 Clambling Clambling can deobfuscate its payload prior to execution.131213
S0611 Clop Clop has used a simple XOR operation to decrypt strings.32
S1105 COATHANGER COATHANGER decodes configuration items from a bundled file for command and control activity.268
S0154 Cobalt Strike Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.221222
S0369 CoinTicker CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.202
S0126 ComRAT ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.210211
S0575 Conti Conti has decrypted its payload using a hardcoded AES-256 key.6061
S0492 CookieMiner CookieMiner has used Google Chrome’s decryption and extraction operations.174
S1235 CorKLOG CorKLOG has decoded XOR encrypted strings.100
S0614 CostaBricks CostaBricks has the ability to use bytecode to decrypt embedded payloads.48
S0115 Crimson Crimson can decode its encoded PE file prior to execution.98
S1153 Cuckoo Stealer Cuckoo Stealer strings are deobfuscated prior to execution.123124
S0687 Cyclops Blink Cyclops Blink can decrypt and parse instructions sent from C2.294
S1014 DanBot DanBot can use a VBA macro to decode its payload prior to installation and execution.270
S1111 DarkGate DarkGate installation includes binary code stored in a file located in a hidden directory, such as shell.txt, that is decrypted then executed.205 DarkGate uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API CallWindowProc() to decode and then execute.206
G0012 Darkhotel Darkhotel has decrypted strings and imports using RC4 during execution.331332
S1066 DarkTortilla DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.27
S0673 DarkWatchman DarkWatchman has the ability to self-extract as a RAR archive.203
S0255 DDKONG DDKONG decodes an embedded configuration using XOR.64
S1052 DEADEYE DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.87
S1134 DEADWOOD DEADWOOD XORs some strings within the binary using the value 0xD5, and deobfuscates these items at runtime.207
S0354 Denis Denis will decrypt important strings used for C&C communication.65
S0547 DropBook DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.175
S0502 Drovorub Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.184
S0567 Dtrack Dtrack has used a decryption routine that is part of an executable physical patch.315
S1158 DUSTPAN DUSTPAN decodes and decrypts embedded payloads.128
S1159 DUSTTRAP DUSTTRAP deobfuscates embedded payloads.128
S0024 Dyre Dyre decrypts resources needed for targeting the victim.132133
G1006 Earth Lusca Earth Lusca has used certutil to decode a string into a cabinet file.333
S0377 Ebury Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.91
S0624 Ecipekac Ecipekac has the ability to decrypt fileless loader modules.260
S0554 Egregor Egregor has been decrypted before execution.125126
S1247 Embargo Embargo has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the Embargo ransomware executable a.cache with a hardcoded RC4 key wlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB.151
S0367 Emotet Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.152
S0634 EnvyScout EnvyScout can deobfuscate and write malicious ISO files to disk.42
S0401 Exaramel for Linux Exaramel for Linux can decrypt its configuration file.17
S1179 Exbyte Exbyte decodes and decrypts data stored in the configuration file with a key provided on the command line during execution.108
S0361 Expand Expand can be used to decompress a local or remote CAB file into an executable.6
S0512 FatDuke FatDuke can decrypt AES encrypted C2 communications.16
G1016 FIN13 FIN13 has utilized certutil to decode base64 encoded versions of custom malware.363
G0046 FIN7 FIN7 has decoded a malicious PowerShell script using certutil -decode hex and has decoded an XOR-obfuscated block of data with the key qawsed1q2w3e, which led to the installation of Lizar.349
S0355 Final1stspy Final1stspy uses Python code to deobfuscate base64-encoded strings.69
S0182 FinFisher FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.278277
S0618 FIVEHANDS FIVEHANDS has the ability to decrypt its payload prior to execution.21749218
S0661 FoggyWeb FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.53
S1120 FRAMESTING FRAMESTING can decompress data received within POST requests.88
C0001 Frankenstein During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.377
S0628 FYAnti FYAnti has the ability to decrypt an embedded .NET module.260
G0047 Gamaredon Group Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded Base64-encoded source code of a downloader.342341343 Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications.344
S0666 Gelsemium Gelsemium can decompress and decrypt DLLs and shellcode.28
S0032 gh0st RAT gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.166
S1117 GLASSTOKEN GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests.105
S0588 GoldMax GoldMax has decoded and decrypted the configuration file when executed.185186
S0477 Goopy Goopy has used a polymorphic decryptor to decrypt itself at runtime.65
S1138 Gootloader Gootloader has the ability to decode and decrypt malicious payloads prior to execution.158157
G0078 Gorgon Group Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.322
S0531 Grandoreiro Grandoreiro can decrypt its encrypted internal strings.212
S0690 Green Lambert Green Lambert can use multiple custom routines to decrypt strings prior to execution.154155
S0632 GrimAgent GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.252
S0499 Hancitor Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.316317
S0697 HermeticWiper HermeticWiper can decompress and copy driver files using LZCopy.164
S1249 HexEval Loader HexEval Loader has decoded its payload prior to execution.24750248
S1027 Heyoka Backdoor Heyoka Backdoor can decrypt its payload prior to execution.51
S0394 HiddenWasp HiddenWasp uses a cipher to implement a decoding function.231
G0126 Higaisa Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.367368
S0601 Hildegard Hildegard has decrypted ELF files with AES.209
S1097 HUI Loader HUI Loader can decrypt and load files containing malicious payloads.177
S0398 HyperBro HyperBro can unpack and decrypt its payload prior to execution.13138
S1022 IceApple IceApple can use a Base64-encoded AES key to decrypt tasking.141
S0434 Imminent Monitor Imminent Monitor has decoded malware components that are then dropped to the system.5
S1139 INC Ransomware INC Ransomware can run CryptStringToBinaryA to decrypt base64 content containing its ransom note.159
S0604 Industroyer Industroyer decrypts code to connect to a remote C2 server.308
S1245 InvisibleFerret InvisibleFerret has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.86
S0260 InvisiMole InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.229230
S0581 IronNetInjector IronNetInjector has the ability to decrypt embedded .NET and PE payloads.9
S0189 ISMInjector ISMInjector uses the certutil command to decode a payload file.106
C0044 Juicy Mix During Juicy Mix, OilRig used a script to concatenate and deobfuscate encoded strings in Mango.120
S1190 Kapeka Kapeka utilizes obfuscated JSON structures for various data storage and configuration management items.219
G0004 Ke3chang Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.327
S0585 Kerrdown Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.269
S0487 Kessel Kessel has decrypted the binary’s configuration once the main function was launched.104
S1051 KEYPLUG KEYPLUG can decode its configuration file to determine C2 protocols.87
S0526 KGH_SPY KGH_SPY can decrypt encrypted strings and write them to a newly created folder.306
G0094 Kimsuky Kimsuky has decoded malicious VBScripts using Base64.323 Kimsuky has also decoded malicious PowerShell scripts using Base64.324
S0641 Kobalos Kobalos decrypts strings right after the initial communication, but before the authentication process.160
S0669 KOCTOPUS KOCTOPUS has deobfuscated itself before executing its commands.13
S0356 KONNI KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.1819
S0236 Kwampirs Kwampirs decrypts and extracts a copy of its main DLL payload when executing.62
S1160 Latrodectus Latrodectus has the ability to deobfuscate encrypted strings.110111109
G0032 Lazarus Group Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.355354
G0065 Leviathan Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.358
S0395 LightNeuron LightNeuron has used AES and XOR to decrypt configuration files and commands.103
S1119 LIGHTWIRE LIGHTWIRE can RC4 decrypt and Base64 decode C2 commands.88
S1186 Line Dancer Line Dancer shellcode payloads are base64 encoded when transmitted to compromised devices.47
S0513 LiteDuke LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.16
S0681 Lizar Lizar has decrypted its configuration data, such as the C2 IP address, ports and other network communication.188189
S1199 LockBit 2.0 LockBit 2.0 can decode scripts and strings in loaded modules.140139
S1202 LockBit 3.0 The LockBit 3.0 payload is decrypted at runtime.242223
S0447 Lokibot Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.39
S0582 LookBack LookBack has a function that decrypts malicious data.313
S0532 Lucifer Lucifer can decrypt its C2 address upon execution.45
S1213 Lumma Stealer Lumma Stealer has used Base64-encoded content during execution, decoded via PowerShell.80
S1143 LunarLoader LunarLoader can deobfuscate files containing the next stages in the infection chain.77
S1142 LunarMail LunarMail can decrypt strings to retrieve configuration settings.77
S1141 LunarWeb LunarWeb can decrypt strings related to communication configuration using RC4 with a static key.77
S0409 Machete Machete’s downloaded data is decrypted using AES.20
S1016 MacMa MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.200
S1060 Mafalda Mafalda can decrypt files and data.92
S1182 MagicRAT MagicRAT stores command and control URLs using base64 encoding in the malware’s configuration file.245
G1026 Malteiro Malteiro has the ability to deobfuscate downloaded files prior to execution.31
S1244 Medusa Ransomware Medusa Ransomware has decoded XOR encrypted strings prior to execution in memory.145146
S0576 MegaCortex MegaCortex has used a Base64 key to decode its components.187
G0045 menuPass menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.352353
S0443 MESSAGETAP After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. 182
S1059 metaMain metaMain can decrypt and load other modules.92
S0455 Metamorfo Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.303304305
S0280 MirageFox MirageFox has a function for decrypting data containing C2 configuration information.301
S1122 Mispadu Mispadu decrypts its encrypted configuration files prior to execution.3130
G0021 Molerats Molerats decompresses ZIP files once on the victim machine.330
S1026 Mongall Mongall has the ability to decrypt its payload prior to execution.51
G1036 Moonstone Sleet Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.325
S1221 MOPSLED MOPSLED can decrypt obfuscated configuration files.130
S0284 More_eggs More_eggs will decode malware components that are then dropped to the system.26
S1047 Mori Mori can resolve networking APIs from strings that are ADD-encrypted.150
G0069 MuddyWater MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript.33733840336
G0129 Mustang Panda Mustang Panda has the ability to decrypt its payload prior to execution.114265117267 Mustang Panda has also utilized RC4 encryption for malicious payloads.326148
S0637 NativeZone NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.42
S0457 Netwalker Netwalker’s PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.79
S1147 Nightdoor Nightdoor stores network configuration data in a file XOR encoded with the key value of 0x7A.311
S1100 Ninja The Ninja loader component can decrypt and decompress the payload.143144
S0353 NOKKI NOKKI uses a unique, custom de-obfuscation technique.241
S1170 ODAgent ODAgent can Base64-decode and XOR decrypt received C2 commands.119
S1172 OilBooster OilBooster can Base64-decode and XOR-decrypt C2 commands taken from JSON files.119
G0049 OilRig A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.33910685340
S0439 Okrum Okrum’s loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.225
S0052 OnionDuke OnionDuke can use a custom decryption algorithm to decrypt strings.16
S0264 OopsIE OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.85
C0016 Operation Dust Storm During Operation Dust Storm, attackers used VBS code to decode payloads.378
C0006 Operation Honeybee During Operation Honeybee, malicious files were decoded prior to execution.379
C0005 Operation Spalax For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.369
S0402 OSX/Shlayer OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.168 Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.169170
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the rotate function in reporting.95
S0598 P.A.S. Webshell P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.17
S1050 PcShare PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.8
S1145 Pikabot Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.242 Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload .text section before consolidating them for further execution.243 Overall LunarMail is associated with multiple encoding and encryption mechanisms to obfuscate the malware’s presence and avoid analysis or detection.244
S0517 Pillowmint Pillowmint has been decompressed by included shellcode prior to being launched.208
S1031 PingPull PingPull can decrypt received data from its C2 server by using AES.271
S0501 PipeMon PipeMon can decrypt password-protected executables.274
S1123 PITSTOP PITSTOP can deobfuscate base64 encoded and AES encrypted commands.292
S0013 PlugX PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.264131266 PlugX has also decrypted its payloads in memory.263113265267
S0428 PoetRAT PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.286
S0518 PolyglotDuke PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.16
S1173 PowerExchange PowerExchange can decode and decrypt C2 commands received via email.249
S1012 PowerLess PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.287
S0223 POWERSTATS POWERSTATS can deobfuscate the main backdoor code.40
S1046 PowGoop PowGoop can decrypt PowerShell scripts for execution.150253
S0279 Proton Proton uses an encrypted file to store commands and configuration values.156
S0613 PS1 PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.48
S0147 Pteranodon Pteranodon can decrypt encrypted data strings prior to using them.149
S1228 PUBLOAD PUBLOAD has decoded its payload prior to execution.113114115116117
S0196 PUNCHBUGGY PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.240
S1032 PyDCrypt PyDCrypt has decrypted and dropped the DCSrv payload to disk.96
S0650 QakBot QakBot can deobfuscate and re-assemble code strings for execution.747576
S0269 QUADAGENT QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.41
S1076 QUIETCANARY QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them.57
S1148 Raccoon Stealer Raccoon Stealer uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers.285284
S0565 Raindrop Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.314239
S0629 RainyDay RainyDay can decrypt its payload via a XOR key.63
S0458 Ramsay Ramsay can extract its agent from the body of a malicious document.300
S1212 RansomHub RansomHub can use a provided passphrase to decrypt its configuration file.127
S1113 RAPIDPULSE RAPIDPULSE listens for specific HTTP query parameters in received communications. If specific parameters match, a hard-coded RC4 key is used to decrypt the HTTP query paremter hmacTime. This decrypts to a filename that is then open, read, encrypted with the same RC4 key, base64-encoded, written to standard out, then passed as a response to the HTTP request.54
S1130 Raspberry Robin Raspberry Robin contains several layers of obfuscation to hide malicious code from detection and analysis.261
S0495 RDAT RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.122
S1240 RedLine Stealer RedLine Stealer has decoded its payload prior to execution.198
C0056 RedPenguin During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.375374
S0511 RegDuke RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.16
S0375 Remexi Remexi decrypts the configuration data using XOR with 25-character keys.165
S1219 REPTILE The REPTILE launcher component can decrypt kernel module code from a file and load it into memory.130
S0496 REvil REvil can decode encrypted strings to enable execution of commands and payloads.192193194195196197
S0258 RGDoor RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.276
S1222 RIFLESPINE RIFLESPINE can deobfuscate encrypted files prior to execution on targeted hosts.130
S0448 Rising Sun Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.97
S1150 ROADSWEEP ROADSWEEP can decrypt embedded scripts prior to execution.118136
G0106 Rocke Rocke has extracted tar.gz files after downloading them from a C2 server.360
S0270 RogueRobin RogueRobin decodes an embedded executable using base64 and decompresses it.307
S0240 ROKRAT ROKRAT can decrypt strings using the victim’s hostname as the key.179180
S1078 RotaJakiro RotaJakiro uses the AES algorithm, bit shifts in a function called rotate, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the head and key sections in the network packet structure used for C2 communications.25
S1210 Sagerunex Sagerunex uses a custom decryption routine to unpack itself during installation.147
S1018 Saint Bot Saint Bot can deobfuscate strings and files for execution.220
S1168 SampleCheck5000 SampleCheck5000 can decode and decrypt command line strings and files received through C2.120119
G0034 Sandworm Team Sandworm Team’s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.364365
S1085 Sardonic Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing.107
S0461 SDBbot SDBbot has the ability to decrypt and decompress its payload to enable code execution.3334
S0596 ShadowPad ShadowPad has decrypted a binary blob to start execution.56
S0140 Shamoon Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.176
C0058 SharePoint ToolShell Exploitation During SharePoint ToolShell Exploitation, threat actors decrypted scripts prior to execution.370
S1019 Shark Shark can extract and decrypt downloaded .zip files.223
S0546 SharpStage SharpStage has decompressed data received from the C2 server.204
S0444 ShimRat ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.183
S0589 Sibot Sibot can decrypt data received from a C2 and save to a file.185
S0610 SideTwist SideTwist can decode and decrypt messages received from C2.191
S0623 Siloscape Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager.181
S0468 Skidmap Skidmap has the ability to download, unpack, and decrypt tar.gz files .178
S1110 SLIGHTPULSE SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.121
S0226 Smoke Loader Smoke Loader deobfuscates its code.29
S1086 Snip3 Snip3 can decode its second-stage PowerShell script prior to execution.14
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.314
S0615 SombRAT SombRAT can run upload to decrypt and upload files from storage.4849
S0516 SoreFang SoreFang can decode and decrypt exfiltrated data sent to C2.299
S0543 Spark Spark has used a custom XOR algorithm to decrypt the payload.224
S1140 Spica Upon execution Spica can decode an embedded .pdf and write it to the desktop as a decoy document.291
S1232 SplatDropper SplatDropper has decoded XOR encrypted payload.100
S0390 SQLRat SQLRat has scripts that are responsible for deobfuscating additional scripts.233
S1030 Squirrelwaffle Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.8182
S0188 Starloader Starloader decrypts and executes shellcode from a file called Stars.jps.58
S1227 StarProxy StarProxy has decrypted network packets using a custom algorithm.172
S1112 STEADYPULSE STEADYPULSE can URL decode key/value pairs sent over C2.121
S1200 StealBit StealBit can deobfuscate loaded modules prior to execution.140309
G1046 Storm-1811 Storm-1811 has distributed password-protected archives such as ZIP files during intrusions.334
S1183 StrelaStealer StrelaStealer payloads have included strings encrypted via XOR.255 StrelaStealer JavaScript payloads utilize Base64-encoded payloads that are decoded via certutil to create a malicious DLL file.254256
S0603 Stuxnet Stuxnet decrypts resources that are loaded into memory and executed.78
S0562 SUNSPOT SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.234
S0663 SysUpdate SysUpdate can deobfuscate packed binaries in memory.38
G0092 TA505 TA505 has decrypted packed DLLs with an XOR key.345
S0011 Taidoor Taidoor can use a stream cipher to decrypt stings used by the malware.112
G0139 TeamTNT TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.350
S0560 TEARDROP TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.237238239
S1223 THINCRUST THINCRUST can deobfuscate RSA encrypted C2 commands received through the DEVICEID cookie.66
G0027 Threat Group-3390 During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.346
S0665 ThreatNeedle ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.232
S1239 TONESHELL TONESHELL has decoded its payload prior to execution.115171116172173
S0678 Torisma Torisma has used XOR and Base64 to decode C2 data.99
S0266 TrickBot TrickBot decodes the configuration data and modules.214215216
G0081 Tropic Trooper Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.361362
S0436 TSCookie TSCookie has the ability to decrypt, load, and execute a DLL and its resources.59
S0647 Turian Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.190
G0010 Turla Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.319
S0263 TYPEFRAME One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value “0x35”.142
S1164 UPSTYLE UPSTYLE encodes its main content prior to loading via Python as base64-encoded blobs.4443
S0022 Uroburos Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.273
S0386 Ursnif Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.135
S0476 Valak Valak has the ability to decode and decrypt downloaded files.235236
S0636 VaporRage VaporRage can deobfuscate XOR-encoded shellcode prior to execution.42
S0257 VERMIN VERMIN decrypts code, strings, and commands to use once it’s on the victim’s machine.102
S0180 Volgmer Volgmer deobfuscates its strings and APIs once its executed.312
G1017 Volt Typhoon Volt Typhoon has used Base64-encoded data to transfer payloads and commands, including deobfuscation via certutil.329
S0670 WarzoneRAT WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.153
S0612 WastedLocker WastedLocker’s custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.262
C0037 Water Curupira Pikabot Distribution Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.376
S0579 Waterbear Waterbear has the ability to decrypt its RC4 encrypted payload for execution.134
S0515 WellMail WellMail can decompress scripts received from C2.201
S0514 WellMess WellMess can decode and decrypt data received from C2.257258259
S0689 WhisperGate WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.250251
S0466 WindTail WindTail has the ability to decrypt strings using hard-coded AES keys.226
S0430 Winnti for Linux Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.89
S0141 Winnti for Windows The Winnti for Windows dropper can decrypt and decompresses a data blob.281
G1035 Winter Vivern Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages.351
S1115 WIREFIRE WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP POST requests.52
G0090 WIRTE WIRTE has used Base64 to decode malicious VBS script.321
S1065 Woody RAT Woody RAT can deobfuscate Base64-encoded strings and scripts.167
S0653 xCaon xCaon has decoded strings from the C2 server before executing commands.302
S1207 XLoader XLoader uses XOR and RC4 algorithms to decrypt payloads and functions.228 XLoader can be distributed as a self-extracting RAR archive that launches an AutoIT loader.227
S1248 XORIndex Loader XORIndex Loader can decode its payload prior to execution.50
S0388 YAHOYAH YAHOYAH decrypts downloaded files before execution.138
S0251 Zebrocy Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.288289
S0230 ZeroT ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.10
S0330 Zeus Panda Zeus Panda decrypts strings in the code during the execution process.290
G0128 ZIRCONIUM ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.335
S1013 ZxxZ ZxxZ has used a XOR key to decrypt strings.310

References

  1. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  2. Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025. 

  3. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. 

  4. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. 

  5. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  6. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019. 

  7. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  8. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  9. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. 

  10. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  11. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  12. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  13. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  14. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. 

  15. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  16. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  17. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  18. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. 

  19. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  20. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  21. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  22. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  23. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025. 

  24. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025. 

  25. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023. 

  26. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  27. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  28. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  29. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. 

  30. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. 

  31. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. 

  32. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. 

  33. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  34. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  35. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  36. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. 

  37. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  38. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  39. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  40. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  41. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  42. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  43. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025. 

  44. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024. 

  45. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  46. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. 

  47. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025. 

  48. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  49. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  50. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. 

  51. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  52. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. 

  53. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  54. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  55. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  56. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  57. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. 

  58. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  59. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  60. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. 

  61. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  62. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  63. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  64. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  65. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  66. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. 

  67. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  68. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. 

  69. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  70. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  71. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. 

  72. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  73. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  74. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  75. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  76. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  77. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  78. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  79. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  80. Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025. 

  81. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  82. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  83. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  84. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  85. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  86. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  87. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  88. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. 

  89. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  90. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  91. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. 

  92. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  93. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  94. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  95. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. 

  96. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  97. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  98. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  99. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  100. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  101. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  102. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  103. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  104. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  105. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. 

  106. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. 

  107. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. 

  108. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  109. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  110. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  111. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. 

  112. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  113. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  114. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025. 

  115. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  116. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. 

  117. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. 

  118. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  119. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. 

  120. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  121. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. 

  122. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  123. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. 

  124. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024. 

  125. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. 

  126. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. 

  127. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025. 

  128. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  129. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  130. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  131. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  132. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. 

  133. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  134. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  135. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. 

  136. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. 

  137. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. 

  138. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  139. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025. 

  140. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025. 

  141. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  142. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  143. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  144. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  145. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025. 

  146. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  147. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. 

  148. Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025. 

  149. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  150. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  151. Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025. 

  152. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023. 

  153. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  154. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. 

  155. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024. 

  156. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  157. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024. 

  158. Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022. 

  159. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. 

  160. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. 

  161. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  162. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. 

  163. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  164. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  165. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  166. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  167. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  168. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. 

  169. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. 

  170. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  171. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025. 

  172. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. 

  173. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025. 

  174. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  175. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  176. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  177. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023. 

  178. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  179. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  180. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  181. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  182. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  183. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  184. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  185. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  186. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  187. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  188. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  189. Bourhis, P., Sekoia TDR. (2024, February 1). Unveiling the intricacies of DiceLoader. Retrieved May 14, 2025. 

  190. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  191. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  192. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. 

  193. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  194. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  195. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  196. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  197. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  198. Splunk Threat Research Team. (2023, June 1). Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis. Retrieved September 17, 2025. 

  199. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. 

  200. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  201. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. 

  202. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. 

  203. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  204. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  205. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  206. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  207. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. 

  208. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  209. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  210. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  211. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  212. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  213. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  214. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. 

  215. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  216. Joe Security. (2020, July 13). TrickBot’s new API-Hammering explained. Retrieved September 30, 2021. 

  217. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  218. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. 

  219. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025. 

  220. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  221. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024. 

  222. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  223. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  224. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  225. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  226. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019. 

  227. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. 

  228. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025. 

  229. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  230. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  231. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  232. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  233. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  234. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  235. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  236. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  237. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  238. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. 

  239. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  240. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  241. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  242. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024. 

  243. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024. 

  244. Swachchhanda Shrawan Poudel. (2024, February). Pikabot: 
 A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024. 

  245. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024. 

  246. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  247. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025. 

  248. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. 

  249. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024. 

  250. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  251. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  252. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  253. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. 

  254. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024. 

  255. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024. 

  256. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024. 

  257. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  258. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. 

  259. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  260. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  261. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024. 

  262. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  263. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  264. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  265. EclecticIQ Threat Research Team. (2023, February 2). Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware. Retrieved September 9, 2025. 

  266. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  267. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025. 

  268. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024. 

  269. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  270. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  271. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  272. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  273. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  274. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  275. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024. 

  276. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. 

  277. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  278. FinFisher. (n.d.). Retrieved September 12, 2024. 

  279. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  280. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  281. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  282. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  283. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  284. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024. 

  285. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  286. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  287. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  288. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  289. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  290. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  291. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024. 

  292. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024. 

  293. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  294. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. 

  295. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  296. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  297. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  298. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  299. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  300. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. 

  301. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  302. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  303. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  304. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  305. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  306. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. 

  307. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  308. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  309. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  310. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024. 

  311. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  312. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  313. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  314. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  315. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. 

  316. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. 

  317. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  318. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  319. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  320. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. 

  321. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  322. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  323. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025. 

  324. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. 

  325. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025. 

  326. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  327. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024. 

  328. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. 

  329. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  330. Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. 

  331. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. 

  332. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  333. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. 

  334. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021. 

  335. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  336. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  337. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018. 

  338. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  339. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  340. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  341. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  342. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. 

  343. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. 

  344. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  345. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  346. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  347. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  348. Gemini Advisory. (2022, January 13). FIN7 Uses Flash Drives to Spread Remote Access Trojan. Retrieved May 14, 2025. 

  349. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  350. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024. 

  351. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  352. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  353. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  354. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  355. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024. 

  356. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024. 

  357. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  358. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. 

  359. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  360. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018. 

  361. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  362. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. 

  363. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  364. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. 

  365. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  366. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  367. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  368. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  369. Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025. 

  370. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025. 

  371. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  372. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. 

  373. Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025. 

  374. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. 

  375. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024. 

  376. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  377. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  378. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  379. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.