Skip to content

T1543.003 Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.3 Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe.586 Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as “Bring Your Own Vulnerable Driver” (BYOVD)) as part of Exploitation for Privilege Escalation.26

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution. To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component).

Item Value
ID T1543.003
Sub-techniques T1543.001, T1543.002, T1543.003, T1543.004
Tactics TA0003, TA0004
Platforms Windows
Version 1.3
Created 17 January 2020
Last Modified 21 April 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. 39
S0504 Anchor Anchor can establish persistence by creating a service.72
S0584 AppleJeus AppleJeus can install itself as a service.65
G0073 APT19 An APT19 Port 22 malware variant registers itself as a service.122
G0022 APT3 APT3 has a tool that creates a new service for persistence.134
G0050 APT32 APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.130131132
G0082 APT38 APT38 has installed a new Windows service to establish persistence.125
G0096 APT41 APT41 modified legitimate Windows services to install malware backdoors.127129 APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.128
S0438 Attor Attor‘s dispatcher can establish persistence by registering a new service.119
S0347 AuditCred AuditCred is installed as a new service on the system.38
S0239 Bankshot Bankshot can terminate a specific process by its process id.4041
S0127 BBSRAT BBSRAT can modify service configurations.114
S0268 Bisonal Bisonal has been modified to be used as a Windows service.92
S0570 BitPaymer BitPaymer has attempted to install itself as a service to maintain persistence.64
S1070 Black Basta Black Basta can create a new service to establish persistence.6362
S0089 BlackEnergy One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.24
G0108 Blue Mockingbird Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.126
S0204 Briba Briba installs a service pointing to a malicious DLL dropped to disk.67
G0008 Carbanak Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.142
S0335 Carbon Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.115
S0261 Catchamas Catchamas adds a new service named NetAdapter to establish persistence.91
S0660 Clambling Clambling can register itself as a system service to gain persistence.74
G0080 Cobalt Group Cobalt Group has created new services to establish persistence.141
S0154 Cobalt Strike Cobalt Strike can install a new service.120
S0608 Conficker Conficker copies itself into the %systemroot%\system32 directory and registers as a service.84
S0050 CosmicDuke CosmicDuke uses Windows services typically named “javamtsup” for persistence.16
S0046 CozyCar One persistence mechanism used by CozyCar is to register itself as a Windows service.108
S0625 Cuba Cuba can modify services by using the OpenService and ChangeServiceConfig functions.107
G0105 DarkVishnya DarkVishnya created new services for shellcode loaders distribution.121
S1033 DCSrv DCSrv has created new services for persistence by modifying the Registry.28
S0567 Dtrack Dtrack can add a service called WBService to establish persistence.54
S0038 Duqu Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.88
S0024 Dyre Dyre registers itself as a service by adding several Registry keys.30
G1006 Earth Lusca Earth Lusca created a service using the command sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net
start SysUpdate for persistence.123
S0081 Elise Elise configures itself as a service.17
S0082 Emissary Emissary is capable of configuring itself as a service.21
S0367 Emotet Emotet has been observed creating new services to maintain persistence. 2627
S0363 Empire Empire can utilize built-in modules to modify service binaries and restore them to their original state.15
S0343 Exaramel for Windows The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV.”35
S0181 FALLCHILL FALLCHILL has been installed as a Windows service.65
G0046 FIN7 FIN7 created new Windows services and added them to the startup directories for persistence.124
S0182 FinFisher FinFisher creates a new Windows service with the malicious executable for persistence.9798
S1044 FunnyDream FunnyDream has established persistence by running sc.exe and by setting the WSearch service to run automatically.101
S0666 Gelsemium Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.49
S0032 gh0st RAT gh0st RAT can create a new service to establish persistence.4546
S0493 GoldenSpy GoldenSpy has established persistence by running in the background as an autostart service.82
S0342 GreyEnergy GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.89
S0071 hcdLoader hcdLoader installs itself as a service for persistence.8586
S0697 HermeticWiper HermeticWiper can load drivers by creating a new service using the CreateServiceW API.8
S0203 Hydraq Hydraq creates new services to establish persistence.116117118
S0604 Industroyer Industroyer can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.39
S0259 InnaputRAT Some InnaputRAT variants create a new Windows service to establish persistence.93
S0260 InvisiMole InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.2
S0044 JHUHUGIT JHUHUGIT has registered itself as a service to establish persistence.47
S0265 Kazuar Kazuar can install itself as a new service.18
G0004 Ke3chang Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.133
S0387 KeyBoy KeyBoy installs a service pointing to a malicious DLL dropped to disk.87
G0094 Kimsuky Kimsuky has created new services for persistence.144145
S0356 KONNI KONNI has registered itself as a service using its export function.76
S0236 Kwampirs Kwampirs creates a new service named WmiApSrvEx to establish persistence.112
G0032 Lazarus Group Several Lazarus Group malware families install themselves as new services.140139
S0451 LoudMiner LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.81
S0149 MoonWind MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.69
S0205 Naid Naid creates a new service to establish.70
S0630 Nebulae Nebulae can create a service to establish persistence.31
S0210 Nerex Nerex creates a Registry subkey that registers a new service.99
S0118 Nidiran Nidiran can create a new service named msamger (Microsoft Security Accounts Manager).60
S0439 Okrum To establish persistence, Okrum can install itself as a new service named NtmSsvc.19
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors modified the IKEEXT and PrintNotify Windows services for persistence.148
C0006 Operation Honeybee During Operation Honeybee, threat actors installed DLLs and backdoors as Windows services.147
S0664 Pandora Pandora has the ability to gain system privileges through Windows services.32
S1031 PingPull PingPull has the ability to install itself as a service.113
S0501 PipeMon PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.71
S0013 PlugX PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.5559585657
S0012 PoisonIvy PoisonIvy creates a Registry subkey that registers a new service. PoisonIvy also creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk.83
S0194 PowerSploit PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.1112
G0056 PROMETHIUM PROMETHIUM has created new services and modified existing services for persistence.138
S0029 PsExec PsExec can leverage Windows services to escalate privileges from administrator to SYSTEM with the -s argument.14
S0650 QakBot QakBot can remotely create a temporary service on a target host.110
S0481 Ragnar Locker Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.42
S0629 RainyDay RainyDay can use services to establish persistence.31
S0169 RawPOS RawPOS installs itself as a service to maintain persistence.777879
S0495 RDAT RDAT has created a service when it is installed on the victim machine.51
S0172 Reaver Reaver installs itself as a new service.90
S0074 Sakula Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.73
S0345 Seasalt Seasalt is capable of installing itself as a service.100
S0140 Shamoon Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the “MaintenaceSrv” and “hdv_725x” services.105106
S0444 ShimRat ShimRat has installed a Windows service to maintain persistence on victim machines.96
S0692 SILENTTRINITY SILENTTRINITY can establish persistence by creating a new service.13
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has created a service on victim machines named “TaskFrame” to establish persistence.50
S1037 STARWHALE STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem".36
S0142 StreamEx StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.20
S0491 StrongPity StrongPity has created new services and modified existing services for persistence.48
S0603 Stuxnet Stuxnet uses a driver registered as a boot start service as the main load-point.111
S1049 SUGARUSH SUGARUSH has created a service named Service1 for persistence.25
S0663 SysUpdate SysUpdate can create a service to establish persistence.32
S0164 TDTESS If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.66
G0139 TeamTNT TeamTNT has used malware that adds cryptocurrency miners as a service.146
S0560 TEARDROP TEARDROP ran as a Windows service from the c:\windows\syswow64 folder.9495
G0027 Threat Group-3390 Threat Group-3390‘s malware can create a new service, sometimes naming it after the config information, to gain persistence.136135
S0665 ThreatNeedle ThreatNeedle can run in memory and register its payload as a Windows service.22
S0004 TinyZBot TinyZBot can install as a Windows service for persistence.75
S0266 TrickBot TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.29
G0081 Tropic Trooper Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.137
S0263 TYPEFRAME TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.80
S0386 Ursnif Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.109
S0180 Volgmer Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service’s Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.103102104
S0366 WannaCry WannaCry creates the service “mssecsvc2.0” with the display name “Microsoft Security Center (2.0) Service.”5253
S0612 WastedLocker WastedLocker created and established a service that runs until the encryption process is complete.61
S0206 Wiarp Wiarp creates a backdoor through which remote attackers can create a service.68
S0176 Wingbird Wingbird uses services.exe to register a new autostart service named “Audit Service” using a copy of the local lsass.exe file.3334
S0141 Winnti for Windows Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.37
G0102 Wizard Spider Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.143
S0230 ZeroT ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.57
S0086 ZLib ZLib creates Registry keys to allow itself to run as various services.44
S0350 zwShell zwShell has established persistence by adding itself as a new service.43
S0412 ZxShell ZxShell can create a new service using the service parser function ProcessScCommand.23

Mitigations

ID Mitigation Description
M1047 Audit Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.9 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.10
M1045 Code Signing Enforce registration and execution of only legitimately signed service drivers where possible.
M1028 Operating System Configuration Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
M1018 User Account Management Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0027 Driver Driver Load
DS0009 Process OS API Execution
DS0019 Service Service Creation
DS0024 Windows Registry Windows Registry Key Creation

References


  1. Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018. 

  2. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  3. Microsoft. (n.d.). Services. Retrieved June 7, 2016. 

  4. Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018. 

  5. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. 

  6. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. 

  7. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  8. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  9. Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022. 

  10. Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022. 

  11. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  12. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  13. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  14. Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015. 

  15. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  16. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  17. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  18. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  19. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  20. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. 

  21. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. 

  22. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  23. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  24. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  25. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  26. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. 

  27. Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019. 

  28. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  29. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. 

  30. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. 

  31. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  32. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  33. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. 

  34. Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017. 

  35. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  36. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. 

  37. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. 

  38. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  39. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. 

  40. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  41. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  42. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. 

  43. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  44. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  45. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. 

  46. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  47. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  48. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  49. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  50. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  51. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  52. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. 

  53. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. 

  54. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  55. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  56. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  57. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  58. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  59. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015. 

  60. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016. 

  61. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  62. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. 

  63. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. 

  64. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  65. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  66. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  67. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. 

  68. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018. 

  69. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  70. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018. 

  71. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  72. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  73. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  74. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  75. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  76. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  77. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. 

  78. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017. 

  79. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  80. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  81. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  82. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  83. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  84. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. 

  85. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. 

  86. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016. 

  87. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. 

  88. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  89. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  90. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  91. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. 

  92. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  93. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  94. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. 

  95. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  96. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  97. FinFisher. (n.d.). Retrieved December 20, 2017. 

  98. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  99. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018. 

  100. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  101. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  102. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  103. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. 

  104. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. 

  105. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. 

  106. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  107. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  108. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  109. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. 

  110. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. 

  111. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  112. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  113. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  114. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  115. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. 

  116. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. 

  117. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  118. Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018. 

  119. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  120. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. 

  121. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020. 

  122. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  123. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  124. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  125. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  126. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  127. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  128. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  129. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  130. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. 

  131. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  132. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  133. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  134. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. 

  135. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  136. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. 

  137. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  138. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  139. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. 

  140. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  141. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  142. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  143. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  144. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  145. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  146. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  147. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  148. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.