Skip to content

T1140 Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.2 Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.3

Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. 1

Item Value
ID T1140
Sub-techniques
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.2
Created 14 December 2017
Last Modified 21 April 2023

Procedure Examples

ID Name Description
S0469 ABK ABK has the ability to decrypt AES encrypted payloads.118
S1028 Action RAT Action RAT can use Base64 to decode actor-controlled C2 server communications.45
S0331 Agent Tesla Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.36
S1025 Amadey Amadey has decoded antivirus name strings.132
S0584 AppleJeus AppleJeus has decoded files received from a C2.54
S0622 AppleSeed AppleSeed can decode its payload prior to execution.141
G0073 APT19 An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.249
G0007 APT28 An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.253254
G0087 APT39 APT39 has used malware to decrypt encrypted CAB files.226
S0456 Aria-body Aria-body has the ability to decrypt the loader configuration and payload DLL.167
S0373 Astaroth Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. 7677
S0347 AuditCred AuditCred uses XOR and RC4 to perform decryption on the code functions.46
S0640 Avaddon Avaddon has decrypted encrypted strings.97
S0473 Avenger Avenger has the ability to decrypt files downloaded from C2.118
S1053 AvosLocker AvosLocker has deobfuscated XOR-encoded strings.81
S0344 Azorult Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.125126
S0638 Babuk Babuk has the ability to unpack itself into memory using XOR.165166
S0414 BabyShark BabyShark has the ability to decode downloaded files prior to execution.107
S0475 BackConfig BackConfig has used a custom routine to decrypt strings.222
S0642 BADFLICK BADFLICK can decode shellcode using a custom rotating XOR cipher.189
S0234 Bandook Bandook has decoded its PowerShell script.82
S0239 Bankshot Bankshot decodes embedded XOR strings.94
S0534 Bazar Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.8485
S0470 BBK BBK has the ability to decrypt AES encrypted payloads.118
S0127 BBSRAT BBSRAT uses Expand to decompress a CAB file into executable content.170
S0574 BendyBear BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.123
S0268 Bisonal Bisonal has decoded strings in the malware using XOR and RC4.5051
S0520 BLINDINGCAN BLINDINGCAN has used AES and XOR to decrypt its DLLs.35
S0635 BoomBox BoomBox can decrypt AES-encrypted files downloaded from C2.30
S0415 BOOSTWRITE BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.169
G0060 BRONZE BUTLER BRONZE BUTLER downloads encoded payloads and decodes them on the victim.250
S1063 Brute Ratel C4 Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.7
S1039 Bumblebee Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.5859
S0482 Bundlore Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.60
C0017 C0017 During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.55
C0021 C0021 During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string 'FromBase'+0x40+'String', in place of FromBase64String which is normally used to decode base64.267268
S0335 Carbon Carbon decrypts task and configuration files for execution.1415
S0348 Cardinal RAT Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.147
S0160 certutil certutil has been used to decode binaries hidden inside certificate files as Base64 information.2
S0631 Chaes Chaes has decrypted an AES encrypted binary file to trigger the download of other files.131
S0674 CharmPower CharmPower can decrypt downloaded modules prior to execution.96
S1041 Chinoxy The Chinoxy dropping function can initiate decryption of its config file.8
S0667 Chrommme Chrommme can decrypt its encrypted internal code.148
S0660 Clambling Clambling can deobfuscate its payload prior to execution.8990
S0611 Clop Clop has used a simple XOR operation to decrypt strings.179
S0154 Cobalt Strike Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.6768
S0369 CoinTicker CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.20
S0126 ComRAT ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.116117
S0575 Conti Conti has decrypted its payload using a hardcoded AES-256 key.216217
S0492 CookieMiner CookieMiner has used Google Chrome’s decryption and extraction operations.171
S0614 CostaBricks CostaBricks has the ability to use bytecode to decrypt embedded payloads.16
S0115 Crimson Crimson can decode its encoded PE file prior to execution.138
S0687 Cyclops Blink Cyclops Blink can decrypt and parse instructions sent from C2.49
S1014 DanBot DanBot can use a VBA macro to decode its payload prior to installation and execution.163
G0012 Darkhotel Darkhotel has decrypted strings and imports using RC4 during execution.240241
S1066 DarkTortilla DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.173
S0673 DarkWatchman DarkWatchman has the ability to self-extract as a RAR archive.79
S0255 DDKONG DDKONG decodes an embedded configuration using XOR.78
S1052 DEADEYE DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.55
S0354 Denis Denis will decrypt important strings used for C&C communication.88
S0547 DropBook DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.86
S0502 Drovorub Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.91
S0567 Dtrack Dtrack has used a decryption routine that is part of an executable physical patch.184
S0024 Dyre Dyre decrypts resources needed for targeting the victim.181182
G1006 Earth Lusca Earth Lusca has used certutil to decode a string into a cabinet file.234
S0377 Ebury Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.156
S0624 Ecipekac Ecipekac has the ability to decrypt fileless loader modules.43
S0554 Egregor Egregor has been decrypted before execution.207208
S0634 EnvyScout EnvyScout can deobfuscate and write malicious ISO files to disk.30
S0401 Exaramel for Linux Exaramel for Linux can decrypt its configuration file.142
S0361 Expand Expand can be used to decompress a local or remote CAB file into an executable.6
S0512 FatDuke FatDuke can decrypt AES encrypted C2 communications.56
S0355 Final1stspy Final1stspy uses Python code to deobfuscate base64-encoded strings.19
S0182 FinFisher FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.139140
S0618 FIVEHANDS FIVEHANDS has the ability to decrypt its payload prior to execution.91011
S0661 FoggyWeb FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.223
C0001 Frankenstein During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.264
S0628 FYAnti FYAnti has the ability to decrypt an embedded .NET module.43
G0047 Gamaredon Group Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.243244
S0666 Gelsemium Gelsemium can decompress and decrypt DLLs and shellcode.148
S0032 gh0st RAT gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.48
S0588 GoldMax GoldMax has decoded and decrypted the configuration file when executed.1372
S0477 Goopy Goopy has used a polymorphic decryptor to decrypt itself at runtime.88
G0078 Gorgon Group Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.235
S0531 Grandoreiro Grandoreiro can decrypt its encrypted internal strings.178
S0690 Green Lambert Green Lambert can use multiple custom routines to decrypt strings prior to execution.6162
S0632 GrimAgent GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.66
S0499 Hancitor Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.7374
S0697 HermeticWiper HermeticWiper can decompress and copy driver files using LZCopy.204
S1027 Heyoka Backdoor Heyoka Backdoor can decrypt its payload prior to execution.114
S0394 HiddenWasp HiddenWasp uses a cipher to implement a decoding function.188
G0126 Higaisa Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.232233
S0601 Hildegard Hildegard has decrypted ELF files with AES.12
S0398 HyperBro HyperBro can unpack and decrypt its payload prior to execution.8992
S1022 IceApple IceApple can use a Base64-encoded AES key to decrypt tasking.42
S0434 Imminent Monitor Imminent Monitor has decoded malware components that are then dropped to the system.4
S0604 Industroyer Industroyer decrypts code to connect to a remote C2 server.143
S0260 InvisiMole InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.150151
S0581 IronNetInjector IronNetInjector has the ability to decrypt embedded .NET and PE payloads.5
S0189 ISMInjector ISMInjector uses the certutil command to decode a payload file.162
G0004 Ke3chang Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.230
S0585 Kerrdown Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.64
S0487 Kessel Kessel has decrypted the binary’s configuration once the main function was launched.75
S1051 KEYPLUG KEYPLUG can decode its configuration file to determine C2 protocols.55
S0526 KGH_SPY KGH_SPY can decrypt encrypted strings and write them to a newly created folder.57
G0094 Kimsuky Kimsuky has decoded malicious VBScripts using Base64.261
S0641 Kobalos Kobalos decrypts strings right after the initial communication, but before the authentication process.161
S0669 KOCTOPUS KOCTOPUS has deobfuscated itself before executing its commands.87
S0356 KONNI KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.202203
S0236 Kwampirs Kwampirs decrypts and extracts a copy of its main DLL payload when executing.103
G0032 Lazarus Group Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.256255
G0065 Leviathan Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.236
S0395 LightNeuron LightNeuron has used AES and XOR to decrypt configuration files and commands.63
S0513 LiteDuke LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.56
S0681 Lizar Lizar can decrypt its configuration data.21
S0447 Lokibot Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.136
S0582 LookBack LookBack has a function that decrypts malicious data.149
S0532 Lucifer Lucifer can decrypt its C2 address upon execution.160
S0409 Machete Machete’s downloaded data is decrypted using AES.174
S1016 MacMa MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.121
S1060 Mafalda Mafalda can decrypt files and data.44
S0576 MegaCortex MegaCortex has used a Base64 key to decode its components.168
G0045 menuPass menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.245246
S0443 MESSAGETAP After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. 93
S1059 metaMain metaMain can decrypt and load other modules.44
S0455 Metamorfo Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.313233
S0280 MirageFox MirageFox has a function for decrypting data containing C2 configuration information.176
G0021 Molerats Molerats decompresses ZIP files once on the victim machine.242
S1026 Mongall Mongall has the ability to decrypt its payload prior to execution.114
S0284 More_eggs More_eggs will decode malware components that are then dropped to the system.122
S1047 Mori Mori can resolve networking APIs from strings that are ADD-encrypted.41
G0069 MuddyWater MuddyWater decoded base64-encoded PowerShell commands using a VBS file.238239224237
S0637 NativeZone NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.30
S0457 Netwalker Netwalker‘s PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.52
S0353 NOKKI NOKKI uses a unique, custom de-obfuscation technique.213
G0049 OilRig A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.25816239259
S0439 Okrum Okrum‘s loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.37
S0052 OnionDuke OnionDuke can use a custom decryption algorithm to decrypt strings.56
S0264 OopsIE OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.39
C0016 Operation Dust Storm During Operation Dust Storm, attackers used VBS code to decode payloads.265
C0006 Operation Honeybee During Operation Honeybee, malicious files were decoded prior to execution.266
C0005 Operation Spalax For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.263
S0402 OSX/Shlayer OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.128 Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.129130
S0598 P.A.S. Webshell P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.142
S1050 PcShare PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.8
S0517 Pillowmint Pillowmint has been decompressed by included shellcode prior to being launched.172
S1031 PingPull PingPull can decrypt received data from its C2 server by using AES.71
S0501 PipeMon PipeMon can decrypt password-protected executables.220
S0013 PlugX PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.13489135
S0428 PoetRAT PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.102
S0518 PolyglotDuke PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.56
S1012 PowerLess PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.145
S0223 POWERSTATS POWERSTATS can deobfuscate the main backdoor code.224
S1046 PowGoop PowGoop can decrypt PowerShell scripts for execution.41225
S0279 Proton Proton uses an encrypted file to store commands and configuration values.127
S0613 PS1 PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.16
S0147 Pteranodon Pteranodon can decrypt encrypted data strings prior to using them.146
S0196 PUNCHBUGGY PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.115
S1032 PyDCrypt PyDCrypt has decrypted and dropped the DCSrv payload to disk.34
S0650 QakBot QakBot can deobfuscate and re-assemble code strings for execution.194195196
S0269 QUADAGENT QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.38
S0565 Raindrop Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.210155
S0629 RainyDay RainyDay can decrypt its payload via a XOR key.219
S0458 Ramsay Ramsay can extract its agent from the body of a malicious document.211
S0495 RDAT RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.205
S0511 RegDuke RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.56
S0375 Remexi Remexi decrypts the configuration data using XOR with 25-character keys.180
S0496 REvil REvil can decode encrypted strings to enable execution of commands and payloads.232425262728
S0258 RGDoor RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.29
S0448 Rising Sun Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.110
G0106 Rocke Rocke has extracted tar.gz files after downloading them from a C2 server.257
S0270 RogueRobin RogueRobin decodes an embedded executable using base64 and decompresses it.193
S0240 ROKRAT ROKRAT can decrypt strings using the victim’s hostname as the key.157158
S1018 Saint Bot Saint Bot can deobfuscate strings and files for execution.101
G0034 Sandworm Team Sandworm Team‘s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.227228
S0461 SDBbot SDBbot has the ability to decrypt and decompress its payload to enable code execution.108109
S0596 ShadowPad ShadowPad has decrypted a binary blob to start execution.65
S0140 Shamoon Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.221
S1019 Shark Shark can extract and decrypt downloaded .zip files.106
S0546 SharpStage SharpStage has decompressed data received from the C2 server.192
S0444 ShimRat ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.83
S0589 Sibot Sibot can decrypt data received from a C2 and save to a file.13
S0610 SideTwist SideTwist can decode and decrypt messages received from C2.197
S0623 Siloscape Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager.206
S0468 Skidmap Skidmap has the ability to download, unpack, and decrypt tar.gz files .111
S0226 Smoke Loader Smoke Loader deobfuscates its code.124
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.210
S0615 SombRAT SombRAT can run upload to decrypt and upload files from storage.1610
S0516 SoreFang SoreFang can decode and decrypt exfiltrated data sent to C2.40
S0543 Spark Spark has used a custom XOR algorithm to decrypt the payload.17
S0390 SQLRat SQLRat has scripts that are responsible for deobfuscating additional scripts.164
S1030 Squirrelwaffle Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.112113
S0188 Starloader Starloader decrypts and executes shellcode from a file called Stars.jps.214
S0603 Stuxnet Stuxnet decrypts resources that are loaded into memory and executed.152
S0562 SUNSPOT SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.69
S0663 SysUpdate SysUpdate can deobfuscate packed binaries in memory.92
G0092 TA505 TA505 has decrypted packed DLLs with an XOR key.262
S0011 Taidoor Taidoor can use a stream cipher to decrypt stings used by the malware.22
G0139 TeamTNT TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.231
S0560 TEARDROP TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.153154155
G0027 Threat Group-3390 During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.251
S0665 ThreatNeedle ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.144
S0678 Torisma Torisma has used XOR and Base64 to decode C2 data.218
S0266 TrickBot TrickBot decodes the configuration data and modules.199200201
G0081 Tropic Trooper Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.247248
S0436 TSCookie TSCookie has the ability to decrypt, load, and execute a DLL and its resources.53
S0647 Turian Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.159
G0010 Turla Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.252
S0263 TYPEFRAME One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value “0x35”.198
S0386 Ursnif Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.80
S0476 Valak Valak has the ability to decode and decrypt downloaded files.104105
S0636 VaporRage VaporRage can deobfuscate XOR-encoded shellcode prior to execution.30
S0257 VERMIN VERMIN decrypts code, strings, and commands to use once it’s on the victim’s machine.187
S0180 Volgmer Volgmer deobfuscates its strings and APIs once its executed.137
S0670 WarzoneRAT WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.209
S0612 WastedLocker WastedLocker‘s custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.70
S0579 Waterbear Waterbear has the ability to decrypt its RC4 encrypted payload for execution.120
S0515 WellMail WellMail can decompress scripts received from C2.215
S0514 WellMess WellMess can decode and decrypt data received from C2.9899100
S0689 WhisperGate WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.185186
S0466 WindTail WindTail has the ability to decrypt strings using hard-coded AES keys.212
S0430 Winnti for Linux Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.47
S0141 Winnti for Windows The Winnti for Windows dropper can decrypt and decompresses a data blob.119
G0090 WIRTE WIRTE has used Base64 to decode malicious VBS script.229
S1065 Woody RAT Woody RAT can deobfuscate Base64-encoded strings and scripts.175
S0653 xCaon xCaon has decoded strings from the C2 server before executing commands.95
S0388 YAHOYAH YAHOYAH decrypts downloaded files before execution.177
S0251 Zebrocy Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.190191
S0230 ZeroT ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.133
S0330 Zeus Panda Zeus Panda decrypts strings in the code during the execution process.183
G0128 ZIRCONIUM ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.260
S1013 ZxxZ ZxxZ has used a XOR key to decrypt strings.18

Detection

ID Data Source Data Component
DS0022 File File Modification
DS0009 Process Process Creation
DS0012 Script Script Execution

References


  1. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  2. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. 

  3. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. 

  4. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  5. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. 

  6. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019. 

  7. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  8. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  9. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  10. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  11. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. 

  12. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  13. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  14. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. 

  15. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  16. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  17. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  18. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  19. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  20. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. 

  21. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  22. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  23. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. 

  24. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  25. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  26. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  27. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  28. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  29. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. 

  30. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  31. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  32. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  33. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  34. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  35. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  36. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. 

  37. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  38. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  39. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  40. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  41. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  42. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  43. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  44. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  45. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  46. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  47. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  48. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  49. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  50. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  51. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  52. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  53. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  54. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  55. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  56. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  57. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  58. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. 

  59. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  60. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. 

  61. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. 

  62. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  63. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  64. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  65. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  66. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  67. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  68. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  69. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  70. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  71. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  72. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. 

  73. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. 

  74. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  75. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  76. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  77. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  78. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  79. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. 

  80. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. 

  81. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  82. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  83. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  84. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  85. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  86. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  87. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  88. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  89. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  90. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  91. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  92. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  93. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  94. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  95. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  96. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. 

  97. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  98. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. 

  99. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  100. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  101. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  102. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  103. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  104. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  105. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  106. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  107. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  108. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  109. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  110. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  111. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  112. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  113. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  114. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  115. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  116. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  117. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  118. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  119. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  120. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  121. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  122. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  123. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. 

  124. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  125. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. 

  126. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  127. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. 

  128. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. 

  129. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  130. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  131. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  132. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  133. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  134. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  135. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  136. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  137. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  138. FinFisher. (n.d.). Retrieved December 20, 2017. 

  139. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  140. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  141. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  142. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  143. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  144. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  145. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  146. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  147. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  148. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  149. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  150. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  151. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  152. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  153. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. 

  154. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  155. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. 

  156. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  157. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  158. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  159. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  160. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. 

  161. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. 

  162. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  163. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  164. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  165. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. 

  166. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  167. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  168. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  169. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  170. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  171. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  172. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  173. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  174. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  175. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. 

  176. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  177. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  178. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. 

  179. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  180. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. 

  181. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  182. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  183. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  184. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  185. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  186. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  187. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  188. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  189. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  190. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  191. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  192. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. 

  193. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  194. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  195. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  196. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  197. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  198. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. 

  199. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  200. Joe Security. (2020, July 13). TrickBot’s new API-Hammering explained. Retrieved September 30, 2021. 

  201. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. 

  202. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  203. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  204. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  205. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  206. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. 

  207. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. 

  208. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  209. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  210. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  211. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019. 

  212. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  213. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  214. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. 

  215. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. 

  216. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  217. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  218. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  219. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  220. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  221. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  222. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  223. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  224. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. 

  225. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  226. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  227. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. 

  228. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. 

  229. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  230. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  231. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  232. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  233. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  234. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  235. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  236. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  237. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  238. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018. 

  239. Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. 

  240. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. 

  241. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  242. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  243. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  244. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  245. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  246. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018. 

  247. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  248. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  249. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  250. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  251. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  252. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  253. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  254. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  255. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  256. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  257. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  258. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  259. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021. 

  260. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  261. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  262. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  263. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  264. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  265. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  266. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  267. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.