Skip to content

T1573.001 Symmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

Item Value
ID T1573.001
Sub-techniques T1573.001, T1573.002
Tactics TA0011
Platforms ESXi, Linux, Network Devices, Windows, macOS
Version 1.2
Created 16 March 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0057 3CX Supply Chain Attack During the 3CX Supply Chain Attack, AppleJeus’s VEILEDSIGNAL communication module supports three commands to conduct the following actions: send implant data, execute shellcode, and terminate itself.192
S0066 3PARA RAT 3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails14
S0065 4H RAT 4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.14
S0045 ADVSTORESHELL A variant of ADVSTORESHELL encrypts some C2 with 3DES.97
G0007 APT28 APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.189
G0064 APT33 APT33 has used AES for encryption of command and control traffic.35
S0438 Attor Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.31
S0344 Azorult Azorult can encrypt C2 traffic using XOR.1819
S0245 BADCALL BADCALL encrypts C2 traffic using an XOR/ADD cipher.57
S0128 BADNEWS BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.2728
S0234 Bandook Bandook has used AES encryption for C2 communication.154
S0534 Bazar Bazar can send C2 communications with XOR encryption.93
S0127 BBSRAT BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.96
S0574 BendyBear BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.114
S0268 Bisonal Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.202221
S0520 BLINDINGCAN BLINDINGCAN has encrypted its C2 traffic with RC4.159
S0486 Bonadan Bonadan can XOR-encrypt C2 communications.47
S1226 BOOKWORM BOOKWORM has used encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO. 112
G0060 BRONZE BUTLER BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.148
S1039 Bumblebee Bumblebee can encrypt C2 requests and responses with RC4128
S0077 CallMe CallMe uses AES to encrypt C2 traffic.66
S0030 Carbanak Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.123124
S0348 Cardinal RAT Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.69
S1224 CASTLETAP CASTLETAP can receive a 9-byte XOR encrypted activation string in the payload of an ICMP echo request packet.85
S0220 Chaos Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.34
S0674 CharmPower CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.56
S0144 ChChes ChChes can encrypt C2 traffic with AES or RC4.160161
S0023 CHOPSTICK CHOPSTICK encrypts C2 communications with RC4.167
S0154 Cobalt Strike Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.142
S0244 Comnie Comnie encrypts command and control communications with RC4.113
G1052 Contagious Interview Contagious Interview has encrypted C2 traffic using RC4.186
S0137 CORESHELL CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.168
S0050 CosmicDuke CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.173
G0012 Darkhotel Darkhotel has used AES-256 and 3DES for C2 communications.176
S0187 Daserf Daserf uses RC4 encryption to obfuscate HTTP traffic.148
S0021 Derusbi Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.121
S0200 Dipsind Dipsind encrypts C2 data with AES256 in ECB mode.55
S0472 down_new down_new has the ability to AES encrypt C2 communications.170
S0134 Downdelph Downdelph uses RC4 to encrypt C2 responses.111
S0384 Dridex Dridex has encrypted traffic with RC4.7
S0038 Duqu The Duqu command and control protocol’s data stream can be encrypted with AES-CBC.94
S0377 Ebury Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.90
S0081 Elise Elise encrypts exfiltrated data with RC4.24
S0082 Emissary The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.65
S0367 Emotet Emotet is known to use RSA keys for encrypting C2 traffic. 12
S0091 Epic Epic encrypts commands from the C2 server using a hardcoded key.133
S0569 Explosive Explosive has encrypted communications with the RC4 method.99
S0076 FakeM The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.66
S0181 FALLCHILL FALLCHILL encrypts C2 data with RC4 encryption.5253
S0512 FatDuke FatDuke can AES encrypt C2 communications.152
S0171 Felismus Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.171
S0381 FlawedAmmyy FlawedAmmyy has used SEAL encryption during the initial C2 handshake.132
S0661 FoggyWeb FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.158
C0001 Frankenstein During Frankenstein, the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.193
S1144 FRP FRP can use STCP (Secret TCP) with a preshared key to encrypt services exposed to public networks.5
S0168 Gazer Gazer uses custom encryption for C2 that uses 3DES.117118
S0032 gh0st RAT gh0st RAT uses RC4 and XOR to encrypt C2 traffic.105
S0342 GreyEnergy GreyEnergy encrypts communications using AES256.129
S0632 GrimAgent GrimAgent can use an AES key to encrypt C2 communications.79
S0132 H1N1 H1N1 encrypts C2 traffic using an RC4 key.146
S0037 HAMMERTOSS Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day’s tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day’s tweet, and the image file containing the command.59
S1229 Havoc Havoc can send an AES encrypted check-in request to the C2 server.3637
S0170 Helminth Helminth encrypts data sent to its C2 server over HTTP with RC4.42
S0087 Hi-Zor Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.51
S0394 HiddenWasp HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.74
G0126 Higaisa Higaisa used AES-128 to encrypt C2 traffic.187
S0009 Hikit Hikit performs XOR encryption.40
S0431 HotCroissant HotCroissant has compressed network communications and encrypted them with a custom stream cipher.4344
S0068 httpclient httpclient encrypts C2 content with XOR using a single byte, 0x12.14
S0203 Hydraq Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.95
S0537 HyperStack HyperStack has used RSA encryption for C2 communications.116
S1022 IceApple The IceApple Result Retriever module can AES encrypt C2 responses.155
G0100 Inception Inception has encrypted network communications with AES.188
S0260 InvisiMole InvisiMole uses variations of a simple XOR encryption routine for C&C communications.9
S0271 KEYMARBLE KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.153
S0641 Kobalos Kobalos’s post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.103104
S0162 Komplex The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.138
S0356 KONNI KONNI has used AES to encrypt C2 traffic.147
S1160 Latrodectus Latrodectus can send RC4 encrypted data over C2 channels.135136134
G0032 Lazarus Group Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.178177179180
S0395 LightNeuron LightNeuron uses AES to encrypt C2 traffic.98
S1119 LIGHTWIRE LIGHTWIRE can RC4 encrypt C2 commands.73
S1202 LockBit 3.0 LockBit 3.0 can encrypt C2 communications with AES.15
S0582 LookBack LookBack uses a modified version of RC4 for data transfer.101
S0532 Lucifer Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.48
S1141 LunarWeb LunarWeb can send AES encrypted C2 commands.61
S0010 Lurid Lurid performs XOR encryption.32
S0409 Machete Machete has used AES to exfiltrate documents.17
S1060 Mafalda Mafalda can encrypt its C2 traffic with RC4.106
S1169 Mango Mango can receive XOR-encrypted commands from C2.60
S1059 metaMain metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.106162
S0455 Metamorfo Metamorfo has encrypted C2 commands with AES-256.164
S1026 Mongall Mongall has the ability to RC4 encrypt C2 communications.68
S0149 MoonWind MoonWind encrypts C2 traffic using RC4 with a static key.75
S0284 More_eggs More_eggs has used an RC4-based encryption method for its C2 communications.39
S0256 Mosquito Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.54
G0069 MuddyWater MuddyWater has used AES to encrypt C2 responses.185
G0129 Mustang Panda Mustang Panda has encrypted C2 communications with RC4.139175 Mustang Panda has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO.112
S0336 NanoCore NanoCore uses DES to encrypt the C2 traffic.120
S0272 NDiskMonitor NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.28
S0630 Nebulae Nebulae can use RC4 and XOR to encrypt C2 communications.156
S0034 NETEAGLE NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key “ScoutEagle.”16
S0198 NETWIRE NETWIRE can use AES encryption for C2 data transferred.41
S1106 NGLite NGLite will use an AES encrypted channel for command and control purposes, in one case using the key WHATswrongwithUu.119
S1100 Ninja Ninja can XOR and AES encrypt C2 messages.76
S0439 Okrum Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. 126
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.190
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.64
S0664 Pandora Pandora has the ability to encrypt communications with D3DES.26
S1145 Pikabot Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.77 Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.78
S1031 PingPull PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.174
S0501 PipeMon PipeMon communications are RC4 encrypted.115
S0254 PLAINTEE PLAINTEE encodes C2 beacons using XOR.157
S0435 PLEAD PLEAD has used RC4 encryption to download modules.166
S0013 PlugX PlugX can use RC4 encryption in C2 communications.139140
S0012 PoisonIvy PoisonIvy uses the Camellia cipher to encrypt communications.127
S0371 POWERTON POWERTON has used AES for encrypting C2 traffic.35
S0113 Prikormka Prikormka encrypts some C2 traffic with the Blowfish cipher.13
S1228 PUBLOAD PUBLOAD has used RC4 encryption in C2 communications.828384
S0650 QakBot QakBot can RC4 encrypt strings in C2 communication.67
S0262 QuasarRAT QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.342
S1076 QUIETCANARY QUIETCANARY can RC4 encrypt C2 communications.29
S0629 RainyDay RainyDay can use RC4 to encrypt C2 communications.156
S0495 RDAT RDAT has used AES ciphertext to encode C2 communications.91
G1039 RedCurl RedCurl has used AES-128 CBC to encrypt C2 communications.183
S0153 RedLeaves RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.131
C0056 RedPenguin During RedPenguin, UNC3886 malware used the RC4 cipher to encrypt outgoing C2 messages.191
S0433 Rifdoor Rifdoor has encrypted command and control (C2) communications with a stream cipher.43
S1222 RIFLESPINE RIFLESPINE can use the AES algorithm to encrypt C2 data.45
S0003 RIPTIDE APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.145
S1078 RotaJakiro RotaJakiro encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.169
S0148 RTM RTM encrypts C2 traffic with a custom RC4 variant.100
S0074 Sakula Sakula encodes C2 traffic with single-byte XOR keys.70
S1099 Samurai Samurai can encrypt C2 communications with AES.76
S1085 Sardonic Sardonic has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers.30
S0053 SeaDuke SeaDuke C2 traffic has been encrypted with RC4 and AES.143144
S0610 SideTwist SideTwist can encrypt C2 communications with a randomly generated key.63
S1110 SLIGHTPULSE SLIGHTPULSE can RC4 encrypt all incoming and outgoing C2 messages.122
S0633 Sliver Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.6
S0649 SMOKEDHAM SMOKEDHAM has encrypted its C2 traffic with RC4.8
S0159 SNUGRIDE SNUGRIDE encrypts C2 traffic using AES with a static key.165
S0627 SodaMaster SodaMaster can use RC4 to encrypt C2 communications.130
S1166 Solar Solar can XOR encrypt C2 communications.60
S0615 SombRAT SombRAT has encrypted its C2 communications with AES.107
S1227 StarProxy StarProxy has leveraged two 256-byte XOR keys to encrypt and decrypt network packets using a custom algorithm.10
G0038 Stealth Falcon Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.184
S1034 StrifeWater StrifeWater can encrypt C2 traffic using XOR with a hard coded key.33
S0603 Stuxnet Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.88
S0559 SUNBURST SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.38
S0060 Sys10 Sys10 uses an XOR 0x1 loop to encrypt its C2 domain.23
S0663 SysUpdate SysUpdate has used DES to encrypt all C2 communications.11
S0011 Taidoor Taidoor uses RC4 to encrypt the message body of HTTP content.4950
S0586 TAINTEDSCRIBE TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.102
S1193 TAMECAT TAMECAT has used AES to encrypt C2 traffic.71
S1223 THINCRUST THINCRUST can process RSA encryted C2 commands.85
S1239 TONESHELL TONESHELL has used RC4 encryption in C2 communications.84 TONESHELL variants used a randomly generated variable length (0x20 - 0x200 bytes) rolling XOR key to encrypt and decrypt network packets.10
S0678 Torisma Torisma has encrypted its C2 communications using XOR and VEST-32.89
S0266 TrickBot TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.86Newer versions of TrickBot have been known to use bcrypt to encrypt and digitally sign responses to their C2 server. 87
S1196 Troll Stealer Troll Stealer encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.151
S0436 TSCookie TSCookie has encrypted network communications with RC4.137
S0333 UBoatRAT UBoatRAT encrypts instructions in its C2 network payloads using a simple XOR cipher.163
S0275 UPPERCUT Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.80
S0022 Uroburos Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.62
S1218 VIRTUALPIE VIRTUALPIE can use a custom RC4 encrypted protocol for C2 communications.4645
S0180 Volgmer Volgmer uses a simple XOR cipher to encrypt traffic and files.72
G1017 Volt Typhoon Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.182
S0670 WarzoneRAT WarzoneRAT can encrypt its C2 with RC4 with the password warzone160\x00.58
S0514 WellMess WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.108109110
S0430 Winnti for Linux Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).81
S0141 Winnti for Windows Winnti for Windows can XOR encrypt C2 traffic.25
S1115 WIREFIRE WIREFIRE can AES encrypt process output sent from compromised devices to C2.141
S1065 Woody RAT Woody RAT can use AES-CBC to encrypt data sent to its C2 server.172
S0653 xCaon xCaon has encrypted data sent to the C2 server using a XOR key.125
S0658 XCSSET XCSSET uses RC4 encryption over TCP to communicate with its C2 server.92
S0230 ZeroT ZeroT has used RC4 to encrypt C2 traffic.149150
S1114 ZIPLINE ZIPLINE can use AES-128-CBC to encrypt data for both upload and download.73
G0128 ZIRCONIUM ZIRCONIUM has used AES encrypted communications in C2.181

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  3. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  4. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  5. fatedier. (n.d.). What is frp?. Retrieved July 10, 2024. 

  6. BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021. 

  7. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019. 

  8. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  9. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  10. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. 

  11. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  12. Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. 

  13. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  14. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  15. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  16. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. 

  17. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  18. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  19. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. 

  20. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  21. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  22. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  23. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  24. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  25. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  26. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  27. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  28. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  29. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. 

  30. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. 

  31. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  32. Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014. 

  33. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  34. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018. 

  35. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  36. Shivtarkar, N. and Jain, S. (2023, February 14). Havoc Across the Cyberspace. Retrieved August 4, 2025. 

  37. Wan, Y. (2025, March 3). Havoc: SharePoint with Microsoft Graph API turns into FUD C2. Retrieved August 4, 2025. 

  38. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  39. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  40. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  41. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  42. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  43. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  44. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020. 

  45. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  46. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  47. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  48. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  49. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. 

  50. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  51. Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016. 

  52. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  53. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  54. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  55. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  56. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  57. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018. 

  58. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  59. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024. 

  60. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  61. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  62. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  63. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  64. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. 

  65. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. 

  66. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  67. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  68. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  69. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  70. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  71. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran’s APT42 Operations. Retrieved October 9, 2024. 

  72. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  73. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. 

  74. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  75. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  76. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  77. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024. 

  78. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024. 

  79. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  80. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  81. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  82. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  83. CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025. 

  84. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. 

  85. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. 

  86. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. 

  87. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021. 

  88. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  89. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  90. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. 

  91. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  92. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  93. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  94. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  95. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  96. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  97. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  98. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  99. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  100. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  101. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  102. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  103. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021. 

  104. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. 

  105. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. 

  106. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  107. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  108. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  109. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. 

  110. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  111. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. 

  112. Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025. 

  113. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  114. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  115. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  116. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  117. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  118. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  119. Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024. 

  120. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  121. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. 

  122. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. 

  123. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  124. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  125. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  126. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  127. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024. 

  128. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  129. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  130. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  131. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  132. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  133. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  134. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  135. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  136. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. 

  137. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  138. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. 

  139. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  140. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  141. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. 

  142. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024. 

  143. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. 

  144. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. 

  145. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014. 

  146. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024. 

  147. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022. 

  148. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  149. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. 

  150. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  151. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. 

  152. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  153. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  154. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  155. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  156. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  157. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  158. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  159. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  160. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved November 17, 2024. 

  161. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  162. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. 

  163. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  164. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  165. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. 

  166. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  167. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  168. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023. 

  169. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  170. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. 

  171. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  172. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  173. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  174. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  175. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. 

  176. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. 

  177. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  178. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  179. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  180. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  181. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. 

  182. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. 

  183. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  184. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  185. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025. 

  186. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  187. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  188. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  189. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  190. Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025. 

  191. Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025. 

  192. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.