Skip to content

T1680 Local Storage Discovery

Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform Lateral Movement, or as a precursor to Direct Volume Access.

On ESXi systems, adversaries may use Hypervisor CLI commands such as esxcli to list storage connected to the host as well as .vmdk files.75

On Windows systems, adversaries can use wmic logicaldisk get to find information about local network drives. They can also use Get-PSDrive in PowerShell to retrieve drives and may additionally use Windows API functions such as GetDriveType.61

Linux has commands such as parted, lsblk, fdisk, lshw, and df that can list information about disk partitions such as size, type, file system types, and free space. The command diskutil on MacOS can be used to list disks while system_profiler SPStorageDataType can additionally show information such as a volume’s mount path, file system, and the type of drive in the system.

Infrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as describe volume in AWS, gcloud compute disks list in GCP, and az disk list in Azure.243

Item Value
ID T1680
Sub-techniques
Tactics TA0007
Platforms ESXi, IaaS, Linux, Windows, macOS
Version 1.0
Created 25 September 2025
Last Modified 22 October 2025

Procedure Examples

ID Name Description
S0456 Aria-body Aria-body has the ability to identify disk information on a compromised host.113
S1087 AsyncRAT AsyncRAT can check the disk size through the values obtained with DeviceInfo.8
S0438 Attor Attor monitors the free disk space on the system.114
S0473 Avenger Avenger has the ability to identify the host volume ID.20
S0638 Babuk Babuk can enumerate disk volumes, get disk information, and query service status.104
S0234 Bandook Bandook can collect information about the drives available on the system.79
S0239 Bankshot Bankshot gathers disk type and disk free space.100101
S1070 Black Basta Black Basta can enumerate volumes.5655
S1068 BlackCat BlackCat can enumerate local drives.47
S0564 BlackMould BlackMould can enumerate local drives on a compromised host.19
S0520 BLINDINGCAN BLINDINGCAN has collected disk information, including type and free space available.92
S0471 build_downer build_downer has the ability to send system volume information to C2.20
C0017 C0017 During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.139
S0351 Cannon Cannon can gather drive information from the victim’s machine.2627
G0114 Chimera Chimera has used fsutil fsinfo drives, systeminfo, and vssadmin list shadows for system information including shadow volumes and drive information.136
S0667 Chrommme Chrommme has the ability to list drives.38
G0142 Confucius Confucius has used a file stealer that can examine system drives, including those other than the C drive.124
S0137 CORESHELL CORESHELL collects the volume serial number from the victim and sends the information to its C2 server.35
S0488 CrackMapExec CrackMapExec can enumerate the system drives and associated system name.10
S0115 Crimson Crimson contains a command to collect disk drive information.116115117
S0625 Cuba Cuba can enumerate local drives, disk type, and disk free space.14
S1111 DarkGate DarkGate uses the Delphi methods Sysutils::DiskSize and GlobalMemoryStatusEx to collect disk size and physical memory as part of the malware’s anti-analysis checks for running in a virtualized environment.29
S0616 DEATHRANSOM DEATHRANSOM can enumerate logical drives on a target system.66
S0472 down_new down_new has the ability to identify the system volume information of a compromised host.20
S0091 Epic Epic collects disk space information.103
S0181 FALLCHILL FALLCHILL can collect information about installed disks from the victim.95
S0267 FELIXROOT FELIXROOT collects the victim’s volume serial number.3130
S1044 FunnyDream FunnyDream can enumerate all logical drives on a targeted machine.110
S0617 HELLOKITTY HELLOKITTY can enumerate logical drives on a target system.66
S0697 HermeticWiper HermeticWiper can enumerate physical drives on a targeted host.76777574
S1027 Heyoka Backdoor Heyoka Backdoor can enumerate drives on a compromised host.33
G0126 Higaisa Higaisa collected the system volume serial number.133132
S0376 HOPLIGHT HOPLIGHT has been observed collecting victim machine volume information.63
S1139 INC Ransomware INC Ransomware can discover and mount hidden drives to encrypt them.41
S0259 InnaputRAT InnaputRAT gathers volume drive information.91
S0260 InvisiMole InvisiMole can gather information on the mapped drives and system volume serial number.6465
S0044 JHUHUGIT JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.105106
S0265 Kazuar Kazuar gathers information on local drives.97
S0271 KEYMARBLE KEYMARBLE has the capability to collect information on disk devices.68
S0526 KGH_SPY KGH_SPY can collect drive information from a compromised host.102
S0607 KillDisk KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.24
G0094 Kimsuky Kimsuky has enumerated drives.138137
S0356 KONNI KONNI can gather information on connected drives and disk space from the victim’s machine.454446
S1075 KOPILUWAK KOPILUWAK can discover logical drive information on compromised hosts.78
G0032 Lazarus Group A Destover-like variant used by Lazarus Group collects disk space information and sends it to its C2 server.12912712813142130
S0680 LitePower LitePower has the ability to list local drives.111
S1199 LockBit 2.0 LockBit 2.0 can enumerate local drive configuration.5150
S1202 LockBit 3.0 LockBit 3.0 can enumerate local drive configuration.32
S1016 MacMa MacMa can collect information about a compromised computer’s disk sizes.94
S1048 macOS.OSAMiner macOS.OSAMiner has checked to ensure there is enough disk space using the Unix utility df.18
S1060 Mafalda Mafalda can enumerate all drives on a compromised host.7172
S1244 Medusa Ransomware Medusa Ransomware has enumerated logical drives on infected hosts.40
S1026 Mongall Mongall can identify drives on compromised hosts.33
S0630 Nebulae Nebulae can discover logical drive information including the drive type, free space, and volume information.23
S1147 Nightdoor Nightdoor can collect information about disk drives, their total and free space, and file system type.36
S1100 Ninja Ninja can obtain information on physical drives from targeted hosts.5354
S0353 NOKKI NOKKI can gather information on drives on the victim’s machine.89
S0340 Octopus Octopus can collect system drive and disk size information.93
C0014 Operation Wocao During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model.141
S0208 Pasam Pasam creates a backdoor through which remote attackers can retrieve information like free disk space.39
G0040 Patchwork Patchwork enumerated all available drives on the victim’s machine.134135
S0587 Penquin Penquin can report the disk space of a compromised host to C2.43
S0013 PlugX PlugX has collected a list of all mapped drives on the infected host.28
S0238 Proxysvc Proxysvc collects volume information for all drives on the system.42
S1228 PUBLOAD PUBLOAD has leveraged wmic logicaldisk get to map local network drives.6
S1242 Qilin Qilin has used GetLogicalDrives() and EnumResourceW() to locate mounted drives and shares.52
S0458 Ramsay Ramsay can detect system information–including disk names, total space, and remaining space–to create a hardware profile GUID which acts as a system identifier for operators.4948
S0172 Reaver Reaver collects volume serial number from the victim.96
S0496 REvil REvil can identify system drive information on a compromised host.8481868585838280
S0448 Rising Sun Rising Sun can detect drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.112
S1150 ROADSWEEP ROADSWEEP can enumerate logical drives on targeted devices.1270
S1073 Royal Royal can use GetLogicalDrives to enumerate logical drives.107108
S0253 RunningRAT RunningRAT gathers logical drives information and volume information.15
S0446 Ryuk Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.67
S1168 SampleCheck5000 SampleCheck5000 can create unique victim identifiers by using the compromised system’s volume ID.25
S1085 Sardonic Sardonic has the ability to collect the C:\ drive serial number from a compromised machine.62
S0596 ShadowPad ShadowPad has discovered system information including volume serial numbers.99
S1089 SharpDisco SharpDisco can use a plugin to enumerate system drives.90
S0692 SILENTTRINITY SILENTTRINITY can collect information related to a compromised host, including a list of drives.9
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has collected disk information from a victim machine.11
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used fsutil to check available free space before executing actions that might create large files on disk.140
S0516 SoreFang SoreFang can collect disk space information on victim machines by executing Systeminfo.69
S0491 StrongPity StrongPity can identify the hard disk volume serial number on a compromised host.73
S1049 SUGARUSH MoonWind can obtain the number of drives on the victim machine.13
S0663 SysUpdate SysUpdate can collect a system’s drive information.2221
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can use DriveList to retrieve drive information.109
G0139 TeamTNT TeamTNT has searched for disk partition and logical volume information.118119
G1022 ToddyCat ToddyCat has collected information on bootable drives including model, vendor, and serial numbers.54
S1239 TONESHELL TONESHELL has retrieved the disk serial number of the device using WMI query SELECT volumeserialnumber FROM win32_logicaldisk where Name =’C: to identify the victim machine.37
S0678 Torisma Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.16
G0081 Tropic Trooper Tropic Trooper has detected a target system’s system volume information.125126
S0263 TYPEFRAME TYPEFRAME can gather the disk volume information.98
G1017 Volt Typhoon Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.122123121120
S0689 WhisperGate WhisperGate has the ability to enumerate fixed logical drives on a targeted system.87
S1065 Woody RAT Woody RAT can retrieve information about storage drives from an infected machine.34
S0248 yty yty gathers the the serial number of the main disk volume.17
S0251 Zebrocy Zebrocy collects the serial number for the storage volume C:.61266027595758
S1151 ZeroCleare ZeroCleare can use the IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_DISK_GET_DRIVE_GEOMETRY, and IOCTL_DISK_GET_LENGTH_INFO system calls to compute disk size.12
S0672 Zox Zox can enumerate attached drives.88

References

  1. Ankur Saini, Charlie Gardner. (2023, June 28). Charming Kitten Updates POWERSTAR with an InterPlanetary Twist. Retrieved September 25, 2025. 

  2. AWS. (n.d.). describe-volumes. Retrieved October 20, 2025. 

  3. Azure. (n.d.). az disk. Retrieved October 20, 2025. 

  4. Google Cloud. (n.d.). gcloud compute disks list. Retrieved October 20, 2025. 

  5. Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant. Retrieved March 26, 2025. 

  6. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025. 

  7. Mina Naiim. (2021, May 28). DarkSide on Linux: Virtual Machines Targeted. Retrieved March 26, 2025. 

  8. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. 

  9. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  10. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  11. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  12. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  13. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  14. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  15. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  16. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  17. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  18. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. 

  19. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  20. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  21. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  22. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  23. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  24. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021. 

  25. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. 

  26. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  27. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  28. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  29. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  30. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  31. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024. 

  32. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  33. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  34. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  35. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  36. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. 

  37. Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025. 

  38. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  39. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. 

  40. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  41. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. 

  42. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  43. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  44. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. 

  45. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  46. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  47. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  48. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  49. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  50. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025. 

  51. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025. 

  52. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025. 

  53. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  54. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  55. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024. 

  56. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. 

  57. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  58. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  59. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  60. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  61. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  62. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. 

  63. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  64. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  65. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  66. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  67. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  68. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  69. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  70. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. 

  71. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  72. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  73. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  74. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  75. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  76. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. 

  77. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  78. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. 

  79. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  80. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  81. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  82. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. 

  83. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  84. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  85. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  86. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  87. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  88. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  89. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  90. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  91. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  92. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  93. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  94. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  95. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  96. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  97. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  98. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  99. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  100. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  101. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  102. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  103. Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. 

  104. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  105. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  106. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  107. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  108. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. 

  109. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  110. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  111. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  112. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  113. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  114. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  115. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  116. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  117. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  118. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  119. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  120. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  121. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. 

  122. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. 

  123. NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. 

  124. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  125. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  126. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  127. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. 

  128. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024. 

  129. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  130. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  131. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  132. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  133. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  134. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024. 

  135. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  136. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. 

  137. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  138. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  139. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  140. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  141. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.