Skip to content

T1566.002 Spearphishing Link

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an “IDN homograph attack”).2

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to Steal Application Access Tokens.3 These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. 4

Item Value
ID T1566.002
Sub-techniques T1566.001, T1566.002, T1566.003
Tactics TA0001
Platforms Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Version 2.4
Created 02 March 2020
Last Modified 11 April 2023

Procedure Examples

ID Name Description
S0677 AADInternals AADInternals can send “consent phishing” emails containing malicious links designed to steal users’ access tokens.6
S0584 AppleJeus AppleJeus has been distributed via spearphishing link.24
G0006 APT1 APT1 has sent spearphishing emails containing hyperlinks to malicious files.103
G0007 APT28 APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.99100101102
G0016 APT29 APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.747576
G0022 APT3 APT3 has sent spearphishing emails containing malicious links.97
G0050 APT32 APT32 has sent spearphishing emails containing malicious links.5455565711
G0064 APT33 APT33 has sent spearphishing emails containing links to .hta files.6566
G0087 APT39 APT39 leveraged spearphishing emails with malicious links to initially compromise victims.7778
S0534 Bazar Bazar has been spread via emails with embedded malicious links.789
G0098 BlackTech BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.71
S1039 Bumblebee Bumblebee has been spread through e-mail campaigns with malicious links.2322
C0011 C0011 During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.112
C0021 C0021 During C0021, the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.108109
G0080 Cobalt Group Cobalt Group has sent emails with URLs pointing to malicious documents.6219
G0142 Confucius Confucius has sent malicious links to victims through email campaigns.90
G1006 Earth Lusca Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.67
G0066 Elderwood Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.8687
G1003 Ember Bear Ember Bear has sent spearphishing emails containing malicious links.10
S0367 Emotet Emotet has been delivered by phishing emails containing links. 323334353637383839
G0120 Evilnum Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.42
G1011 EXOTIC LILY EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.98
G0085 FIN4 FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.5049
G0046 FIN7 FIN7 has conducted broad phishing campaigns using malicious links.61
G0061 FIN8 FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.81
S0531 Grandoreiro Grandoreiro has been spread via malicious links embedded in e-mails.2829
S0561 GuLoader GuLoader has been spread in phishing campaigns using malicious web links.26
S0499 Hancitor Hancitor has been delivered via phishing emails which contained malicious links.31
S0528 Javali Javali has been delivered via malicious links embedded in e-mails.25
S0585 Kerrdown Kerrdown has been distributed via e-mails containing a malicious link.11
G0094 Kimsuky Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.104105106
S0669 KOCTOPUS KOCTOPUS has been distributed as a malicious link within an email.20
G0032 Lazarus Group Lazarus Group has sent malicious links to victims via email.64
G0140 LazyScripter LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.20
G0065 Leviathan Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.7980
G1014 LuminousMoth LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.41
G0095 Machete Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.5960
G0059 Magic Hound Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.93929194
S0530 Melcoz Melcoz has been spread through malicious links embedded in e-mails.25
G0103 Mofang Mofang delivered spearphishing emails with malicious links included.70
G0021 Molerats Molerats has sent phishing emails with malicious links included.63
G0069 MuddyWater MuddyWater has sent targeted spearphishing e-mails with malicious links.6869
G0129 Mustang Panda Mustang Panda has delivered malicious links to their intended targets.48
S0198 NETWIRE NETWIRE has been spread via e-mail campaigns utilizing malicious links.26
C0002 Night Dragon During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.115
G0049 OilRig OilRig has sent spearphising emails with malicious links to potential victims.43
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.114113
C0016 Operation Dust Storm During Operation Dust Storm, the threat actors sent spearphishing emails containing a malicious link.111
C0005 Operation Spalax During Operation Spalax, the threat actors sent phishing emails to victims that contained a malicious link.110
S1017 OutSteel OutSteel has been distributed through malicious links contained within spearphishing emails.10
G0040 Patchwork Patchwork has used spearphishing with links to deliver files with exploits to initial victims.515352
S0453 Pony Pony has been delivered via spearphishing emails which contained malicious links.40
S0650 QakBot QakBot has spread through emails with malicious links.15171816141213
S1018 Saint Bot Saint Bot has been distributed through malicious links contained within spearphishing emails.10
G0034 Sandworm Team Sandworm Team has crafted phishing emails containing malicious hyperlinks.85
G0121 Sidewinder Sidewinder has sent e-mails with malicious links often crafted for specific targets.8889
S0646 SpicyOmelette SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.19
S1030 Squirrelwaffle Squirrelwaffle has been distributed through phishing emails containing a malicious URL.21
G0092 TA505 TA505 has sent spearphishing emails containing malicious links.44454647
G0134 Transparent Tribe Transparent Tribe has embedded links to malicious downloads in e-mails.7273
S0266 TrickBot TrickBot has been delivered via malicious links in phishing e-mails.27
G0010 Turla Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.58
S0476 Valak Valak has been delivered via malicious links in e-mail.30
G0112 Windshift Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.107
G0102 Wizard Spider Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.9596
G0128 ZIRCONIUM ZIRCONIUM has used malicious links in e-mails to deliver malware.828384

Mitigations

ID Mitigation Description
M1047 Audit Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.
M1021 Restrict Web-Based Content Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1054 Software Configuration Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.51.
M1018 User Account Management Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications.
M1017 User Training Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content

References

  1. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. 

  2. CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020. 

  3. Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. 

  4. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. 

  5. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. 

  6. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  7. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. 

  8. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  9. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  10. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. 

  11. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  12. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  13. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  14. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  15. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  16. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  17. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. 

  18. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  19. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  20. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  21. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. 

  22. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  23. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  24. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  25. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. 

  26. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  27. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  28. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  29. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. 

  30. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. 

  31. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. 

  32. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019. 

  33. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019. 

  34. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. 

  35. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. 

  36. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. 

  37. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. 

  38. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. 

  39. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  40. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  41. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  42. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  43. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  44. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  45. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  46. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  47. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  48. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. 

  49. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. 

  50. Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016. 

  51. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  52. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  53. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. 

  54. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  55. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020. 

  56. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  57. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  58. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  59. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  60. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  61. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  62. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  63. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  64. O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. 

  65. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  66. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  67. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. 

  68. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  69. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  70. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  71. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  72. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. 

  73. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. 

  74. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. 

  75. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022. 

  76. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  77. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  78. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  79. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  80. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  81. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. 

  82. Huntley, S. (2020, October 16). How We’re Tackling Evolving Online Threats. Retrieved March 24, 2021. 

  83. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  84. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  85. O’Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. 

  86. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber ‘gangs’ in China. Retrieved February 15, 2018. 

  87. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  88. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. 

  89. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  90. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. 

  91. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. 

  92. Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017. 

  93. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  94. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  95. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. 

  96. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  97. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. 

  98. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  99. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. 

  100. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. 

  101. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  102. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. 

  103. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. 

  104. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  105. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. 

  106. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  107. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. 

  108. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  109. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  110. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  111. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  112. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  113. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.