Skip to content

T1547.001 Registry Run Keys / Startup Folder

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in.3 These programs will be executed under the context of the user and will have the account’s associated permissions level.

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.

The following run keys are created by default on Windows systems:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run keys may exist under multiple hives.21 The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.3 For example, it is possible to load a DLL at logon using a “Depend” key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d “C:\temp\evil[.]dll” 4

The following Registry keys can be used to set startup folder items for persistence:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

The following Registry keys can control automatic startup of services during boot:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.

Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Item Value
ID T1547.001
Sub-techniques T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015
Tactics TA0003, TA0004
Platforms Windows
Permissions required Administrator, User
Version 1.2
Created 23 January 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.196197198
S0331 Agent Tesla Agent Tesla can add itself to the Registry as a startup program to establish persistence.184185
S1025 Amadey Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.2829
S0622 AppleSeed AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce to establish persistence.97
G0026 APT18 APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.263264
G0073 APT19 An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\.278
G0007 APT28 APT28 has deployed malware that has copied itself to the startup directory for persistence.230
G0016 APT29 APT29 added Registry Run keys to establish persistence.259
G0022 APT3 APT3 places scripts in the startup folder for persistence.277
G0050 APT32 APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.226227228
G0064 APT33 APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.271272
G0067 APT37 APT37‘s has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.273274
G0087 APT39 APT39 has maintained persistence using the startup folder.214
G0096 APT41 APT41 created and modified startup files for persistence.231233 APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.232
S0456 Aria-body Aria-body has established persistence via the Startup folder or Run Registry key.207
S0373 Astaroth Astaroth creates a startup item for persistence. 199
S1029 AuTo Stealer AuTo Stealer can place malicious executables in a victim’s AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.141
S0640 Avaddon Avaddon uses registry run keys for persistence.142
S1053 AvosLocker AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode.18
S0414 BabyShark BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.143144
S0093 Backdoor.Oldrea Backdoor.Oldrea adds Registry Run keys to achieve persistence.5259
S0031 BACKSPACE BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.96
S0128 BADNEWS BADNEWS installs a registry Run key to establish persistence.35
S0337 BadPatch BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.105
S0534 Bazar Bazar can create or add files to Registry Run Keys to establish persistence.4950
S0127 BBSRAT BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe.
S0268 Bisonal Bisonal has added itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.201202
S0570 BitPaymer BitPaymer has set the run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.161
S0089 BlackEnergy The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.124
S0635 BoomBox BoomBox can establish persistence by writing the Registry value MicroNativeCacheSvc to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.19
S0204 Briba Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.38
G0060 BRONZE BUTLER BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.275
S0471 build_downer build_downer has the ability to add itself to the Registry Run key for persistence.132
S0030 Carbanak Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.104
S0484 Carberp Carberp has maintained persistence by placing itself inside the current user’s startup folder.44
S0348 Cardinal RAT Cardinal RAT establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Registry key to point to its executable.45
S0631 Chaes Chaes has added persistence via the Registry key software\microsoft\windows\currentversion\run\microsoft windows html help.16
S0144 ChChes ChChes establishes persistence by adding a Registry Run key.60
S1041 Chinoxy Chinoxy has established persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and by loading a dropper to (%COMMON_ STARTUP%\\eoffice.exe).164
S0660 Clambling Clambling can establish persistence by adding a Registry run key.6263
G0080 Cobalt Group Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.243
S0338 Cobian RAT Cobian RAT creates an autostart Registry key to ensure persistence.17
S0244 Comnie Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.32
S0608 Conficker Conficker adds Registry Run keys to establish persistence.117
G0142 Confucius Confucius has dropped malicious files into the startup folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup on a compromised host in order to maintain persistence.247
S0137 CORESHELL CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.160
S0046 CozyCar One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run120
S0115 Crimson Crimson can add Registry run keys for persistence.182183
S0235 CrossRAT CrossRAT uses run keys for persistence on Windows
G0070 Dark Caracal Dark Caracal‘s version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence.249
S0334 DarkComet DarkComet adds several Registry entries to enable automatic execution at every system startup.6465
G0012 Darkhotel Darkhotel has been known to establish persistence by adding programs to the Run Registry key.276
S1066 DarkTortilla DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Run registry key and by creating a .lnk shortcut file in the Windows startup folder.145
S1021 DnsSystem DnsSystem can write itself to the Startup folder to gain persistence.27
S0186 DownPaper DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.134
G0035 Dragonfly Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.240
S0062 DustySky DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.75
S0081 Elise If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.4243
S0082 Emissary Variants of Emissary have added Run Registry keys to establish persistence.54
S0367 Emotet Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.394041
S0363 Empire Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.15
S0396 EvilBunny EvilBunny has created Registry keys for persistence in [HKLM
S0152 EvilGrab EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.60
S0568 EVILNUM EVILNUM can achieve persistence through the Registry Run key.8788
S0512 FatDuke FatDuke has used HKLM\SOFTWARE\Microsoft\CurrentVersion\Run to establish persistence.99
S0267 FELIXROOT FELIXROOT adds a shortcut file to the startup folder for persistence.200
G0051 FIN10 FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.26115
G0037 FIN6 FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.255
G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.234235
S0355 Final1stspy Final1stspy creates a Registry Run key to establish persistence.114
S0182 FinFisher FinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.8081
S0696 Flagpro Flagpro has dropped an executable file to the startup directory.55
S0036 FLASHFLOOD FLASHFLOOD achieves persistence by making an entry in the Registry’s Run key.96
S0381 FlawedAmmyy FlawedAmmyy has established persistence via the HKCU\SOFTWARE\microsoft\windows\currentversion\run registry key.28
S1044 FunnyDream FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.164
G0047 Gamaredon Group Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.216217218
S0168 Gazer Gazer can establish persistence by creating a .lnk file in the Start menu.178179
S0666 Gelsemium Gelsemium can set persistence with a Registry run key.110
S0032 gh0st RAT gh0st RAT has added a Registry Run key to establish persistence.112113
S0249 Gold Dragon Gold Dragon establishes persistence in the Startup folder.175
G0078 Gorgon Group Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.248
S0531 Grandoreiro Grandoreiro can use run keys and create link files in the startup folder for persistence.5657
S0417 GRIFFON GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.86
S0632 GrimAgent GrimAgent can set persistence with a Registry run key.58
S0561 GuLoader GuLoader can establish persistence via the Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.127
S0499 Hancitor Hancitor has added Registry Run keys to establish persistence.77
S0170 Helminth Helminth establishes persistence by creating a shortcut in the Start Menu folder.133
S1027 Heyoka Backdoor Heyoka Backdoor can establish persistence with the auto start function including using the value EverNoteTrayUService.25
S0087 Hi-Zor Hi-Zor creates a Registry Run key to establish persistence.130
G0126 Higaisa Higaisa added a spoofed binary to the start-up folder for persistence.236237
S0070 HTTPBrowser HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe” to establish persistence.115116
S0483 IcedID IcedID has established persistence by creating a Registry run key.189
G0100 Inception Inception has maintained persistence by modifying Registry run key value
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\.229
S0259 InnaputRAT Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe.76
S0260 InvisiMole InvisiMole can place a lnk file in the Startup Folder to achieve persistence.66
S0015 Ixeshe Ixeshe can achieve persistence by adding itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key.69
S0389 JCry JCry has created payloads in the Startup directory to maintain persistence. 131
S0044 JHUHUGIT JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.33
S0088 Kasidet Kasidet creates a Registry Run key to establish persistence.102103
S0265 Kazuar Kazuar adds a sub-key under several Registry run keys.150
G0004 Ke3chang Several Ke3chang backdoors achieved persistence by adding a Run key.256
G0094 Kimsuky Kimsuky has placed scripts in the startup folder for persistence and modified the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry key.222144220219221
S0250 Koadic Koadic has added persistence to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Registry key.10
S0669 KOCTOPUS KOCTOPUS can set the AutoRun Registry key with a PowerShell command.10
S0356 KONNI A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.154
G0032 Lazarus Group Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.280279282281
G0140 LazyScripter LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.10
G0065 Leviathan Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.238239
S0513 LiteDuke LiteDuke can create persistence by adding a shortcut in the CurrentVersion\Run Registry key.99
S0397 LoJax LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche in order to execute its payload during Windows startup.165
S0582 LookBack LookBack sets up a Registry Run key to establish a persistence mechanism.111
S0532 Lucifer Lucifer can persist by setting Registry key values HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic.37
G1014 LuminousMoth LuminousMoth has used malicious DLLs that setup persistence in the Registry Key HKCU\Software\Microsoft\Windows\Current Version\Run.213212
S0409 Machete Machete used the startup folder for persistence.9394
G0059 Magic Hound Magic Hound malware has used Registry Run keys to establish persistence.252251253
S0652 MarkiRAT MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.100
S0167 Matryoshka Matryoshka can establish persistence by adding Registry Run keys.146147
S0449 Maze Maze has created a file named “startup_vrun.bat” in the Startup folder of a virtual machine to establish persistence.188
S0500 MCMD MCMD can use Registry Run Keys for persistence.6
S0455 Metamorfo Metamorfo has configured persistence to the Registry ket HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe and used .LNK files in the startup folder to achieve persistence.137138139140
S0080 Mivast Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia.84
S0553 MoleNet MoleNet can achieve persitence on the infected machine by setting the Registry run key.51
G0021 Molerats Molerats saved malicious files within the AppData and Startup folders to maintain persistence.250
S1026 Mongall Mongall can establish persistence with the auto start function including using the value EverNoteTrayUService.25
S0256 Mosquito Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.36
G0069 MuddyWater MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.270266265269268267
G0129 Mustang Panda Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.210
G0019 Naikon Naikon has modified a victim’s Windows Run registry to establish persistence.26
S0228 NanHaiShu NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.176
S0336 NanoCore NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.34
S0247 NavRAT NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.79
S0630 Nebulae Nebulae can achieve persistence through a Registry Run key.26
S0034 NETEAGLE The “SCOUT” variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.96
S0198 NETWIRE NETWIRE creates a Registry start-up entry to establish persistence.125126127128
S0385 njRAT njRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\ and dropped a shortcut in %STARTUP%.108109
S0353 NOKKI NOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.180
S0644 ObliqueRAT ObliqueRAT can gain persistence by a creating a shortcut in the infected user’s Startup directory.194
S0340 Octopus Octopus achieved persistence by placing a malicious executable in the startup directory and has added the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to the Registry.101
S0439 Okrum Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.48
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group placed LNK files into the victims’ startup folder for persistence.286
C0006 Operation Honeybee During Operation Honeybee, the threat actors used batch files that allowed them to establish persistence by adding the following Registry key: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f.287
C0013 Operation Sharpshooter During Operation Sharpshooter, a first-stage downloader installed Rising Sun to %Startup%\mssync.exe on a compromised host.285
G0040 Patchwork Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.283284
S0124 Pisloader Pisloader establishes persistence via a Registry Run key.78
S0254 PLAINTEE PLAINTEE gains persistence by adding the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.153
S0013 PlugX PlugX adds Run key entries in the Registry to establish persistence.14960148
S0428 PoetRAT PoetRAT has added a registry key in the hive for persistence.168
S0012 PoisonIvy PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.158
S0139 PowerDuke PowerDuke achieves persistence by using various Registry Run keys.192
S0441 PowerShower PowerShower sets up persistence with a Registry run key.205
S0145 POWERSOURCE POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.89
S0194 PowerSploit PowerSploit‘s New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.1112
S0371 POWERTON POWERTON can install a Registry Run key for persistence.191
S0113 Prikormka Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.157
G0056 PROMETHIUM PROMETHIUM has used Registry run keys to establish persistence.74
S0147 Pteranodon Pteranodon copies itself to the Startup folder to establish persistence.155
S0196 PUNCHBUGGY PUNCHBUGGY has been observed using a Registry Run key.3031
S0192 Pupy Pupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run for persistence.14
G0024 Putter Panda A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.242
S0650 QakBot QakBot can maintain persistence by creating an auto-run Registry key.21222324
S0262 QuasarRAT If the QuasarRAT client process does not have administrator privileges it will add a registry key to HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.98
S0458 Ramsay Ramsay has created Registry Run keys to establish persistence.204
S0662 RCSession RCSession has the ability to modify a Registry Run key to establish persistence.6261
S0172 Reaver Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.98
S0153 RedLeaves RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.6090
S0332 Remcos Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.7
S0375 Remexi Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.85
S0379 Revenge RAT Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.163
S0433 Rifdoor Rifdoor has created a new registry entry at HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Graphics with a value of C:\ProgramData\Initech\Initech.exe /run.174
G0106 Rocke Rocke‘s miner has created UPX-packed files in the Windows Start Menu Folder.241
S0270 RogueRobin RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.193
S0090 Rover Rover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.181
S0148 RTM RTM tries to add a Registry Run key under the name “Windows Update” to establish persistence.177
G0048 RTM RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.177260
S0253 RunningRAT RunningRAT adds itself to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to establish persistence upon reboot.175
S0446 Ryuk Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence.170
S0085 S-Type S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.68
S1018 Saint Bot Saint Bot has established persistence by being copied to the Startup directory or through the \Software\Microsoft\Windows\CurrentVersion\Run registry key.7071
S0074 Sakula Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.129
S0461 SDBbot SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. 121122
S0053 SeaDuke SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.162
S0345 Seasalt Seasalt creates a Registry entry to ensure infection after reboot under HKLM\Software\Microsoft\Windows\currentVersion\Run.152
S0382 ServHelper ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ run key.118
S0546 SharpStage SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.51
S0444 ShimRat ShimRat has installed a registry based start-up key HKCU\Software\microsoft\windows\CurrentVersion\Run to maintain persistence should other methods fail.72
S0028 SHIPSHAPE SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.96
G0121 Sidewinder Sidewinder has added paths to executables in the Registry to establish persistence.223224225
G0091 Silence Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and the Startup folder to establish persistence.262
S0692 SILENTTRINITY SILENTTRINITY can establish a LNK file in the startup folder for persistence.13
S1035 Small Sieve Small Sieve has the ability to add itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift for persistence.135
S0226 Smoke Loader Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.186
S0649 SMOKEDHAM SMOKEDHAM has used reg.exe to create a Registry Run key.169
S0159 SNUGRIDE SNUGRIDE establishes persistence through a Registry Run key.20
S0035 SPACESHIP SPACESHIP achieves persistence by creating a shortcut in the current user’s Startup folder.96
S0058 SslMM To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.73
S1037 STARWHALE STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM registry key.166167
S0491 StrongPity StrongPity can use the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key for persistence.74
S0018 Sykipot Sykipot has been known to establish persistence by adding programs to the Run Registry key.83
S0663 SysUpdate SysUpdate can use a Registry Run key to establish persistence.136
S0011 Taidoor Taidoor has modified the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key for persistence.203
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can copy itself into the current user’s Startup folder as “Narrator.exe” for persistence.95
G0139 TeamTNT TeamTNT has added batch scripts to the startup folder.254
G0027 Threat Group-3390 Threat Group-3390‘s malware can add a Registry key to Software\Microsoft\Windows\CurrentVersion\Run for persistence.245244
S0665 ThreatNeedle ThreatNeedle can be loaded into the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk) as a Shortcut file for persistence.159
S0131 TINYTYPHON TINYTYPHON installs itself under Registry Run key to establish persistence.35
S0004 TinyZBot TinyZBot can create a shortcut in the Windows startup folder for persistence.187
S0266 TrickBot TrickBot establishes persistence in the Startup folder.91
S0094 Trojan.Karagany Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.5253
G0081 Tropic Trooper Tropic Trooper has created shortcuts in the Startup folder to establish persistence.257258
S0178 Truvasys Truvasys adds a Registry Run key to establish persistence.82
S0647 Turian Turian can establish persistence by adding Registry Run keys.156
G0010 Turla A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.36211
S0199 TURNEDUP TURNEDUP is capable of writing to a Registry Run key to establish.67
S0386 Ursnif Ursnif has used Registry Run keys to establish automatic execution at system startup.106107
S0136 USBStealer USBStealer registers itself under a Registry Run key with the name “USB Disk Security.”123
S0207 Vasport Vasport copies itself to disk and creates an associated run key Registry entry to establish.206
S0442 VBShower VBShower used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8} to maintain persistence.151
S0670 WarzoneRAT WarzoneRAT can add itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK Registry keys.92
G0112 Windshift Windshift has created LNK files in the Startup folder to establish persistence.215
S0141 Winnti for Windows Winnti for Windows can add a service named wind0ws to the Registry to achieve persistence after reboot.190
G0102 Wizard Spider Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.208209
S0341 Xbash Xbash can create a Startup item for persistence if it determines it is on a Windows system.195
S0251 Zebrocy Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.171172173
S0330 Zeus Panda Zeus Panda adds persistence by creating Registry Run keys.4647
G0128 ZIRCONIUM ZIRCONIUM has created a Registry Run key named Dropbox Update Setup to establish persistence for a malicious Python binary.246

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation

References

  1. Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020. 

  2. Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020. 

  3. Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. 

  4. Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018. 

  5. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  6. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  7. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. 

  8. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  9. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  10. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  11. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  12. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  13. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  14. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  15. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  16. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  17. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. 

  18. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. 

  19. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  20. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  21. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  22. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  23. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. 

  24. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  25. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  26. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  27. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. 

  28. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  29. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  30. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  31. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  32. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  33. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  34. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018. 

  35. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  36. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  37. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  38. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. 

  39. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. 

  40. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. 

  41. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. 

  42. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  43. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. 

  44. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. 

  45. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  46. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  47. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  48. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  49. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  50. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  51. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  52. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  53. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  54. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. 

  55. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  56. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  57. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  58. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  59. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. 

  60. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  61. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  62. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  63. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  64. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  65. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  66. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  67. Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018. 

  68. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  69. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  70. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  71. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  72. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  73. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  74. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  75. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. 

  76. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  77. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. 

  78. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. 

  79. FinFisher. (n.d.). Retrieved December 20, 2017. 

  80. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  81. Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017. 

  82. Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014. 

  83. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016. 

  84. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  85. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  86. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  87. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. 

  88. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. 

  89. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  90. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021. 

  91. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  92. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  93. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  94. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  95. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  96. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  97. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  98. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  99. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  100. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  101. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  102. Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016. 

  103. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  104. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  105. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. 

  106. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. 

  107. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  108. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  109. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  110. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  111. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. 

  112. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  113. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  114. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. 

  115. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016. 

  116. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021. 

  117. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  118. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  119. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  120. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  121. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  122. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  123. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  124. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. 

  125. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  126. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. 

  127. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  128. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  129. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. 

  130. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. 

  131. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  132. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  133. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. 

  134. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. 

  135. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  136. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  137. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  138. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  139. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  140. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  141. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. 

  142. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. 

  143. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  144. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  145. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  146. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. 

  147. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  148. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015. 

  149. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  150. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. 

  151. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. 

  152. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  153. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  154. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  155. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  156. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  157. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  158. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  159. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  160. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  161. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. 

  162. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  163. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  164. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. 

  165. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  166. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. 

  167. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  168. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  169. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  170. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  171. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  172. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  173. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  174. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  175. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. 

  176. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  177. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  178. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  179. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  180. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  181. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  182. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  183. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. 

  184. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. 

  185. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. 

  186. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  187. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. 

  188. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. 

  189. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  190. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  191. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  192. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  193. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  194. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. 

  195. Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. 

  196. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  197. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  198. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 

  199. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  200. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  201. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  202. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. 

  203. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  204. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  205. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018. 

  206. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  207. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  208. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  209. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. 

  210. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. 

  211. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  212. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  213. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  214. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

  215. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  216. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  217. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  218. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  219. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  220. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  221. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  222. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. 

  223. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. 

  224. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. 

  225. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  226. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  227. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  228. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  229. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  230. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  231. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  232. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  233. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  234. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  235. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  236. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  237. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  238. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  239. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  240. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  241. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  242. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  243. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  244. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. 

  245. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  246. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. 

  247. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  248. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  249. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  250. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  251. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  252. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  253. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  254. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  255. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020. 

  256. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  257. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. 

  258. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020. 

  259. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. 

  260. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  261. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018. 

  262. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  263. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. 

  264. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  265. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  266. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  267. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. 

  268. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  269. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  270. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. 

  271. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. 

  272. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  273. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  274. Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. 

  275. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. 

  276. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  277. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  278. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  279. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  280. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  281. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. 

  282. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  283. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  284. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  285. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.