User Execution: Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

ID: T1204.002
Sub-technique of:  T1204
Tactic: Execution
Platforms: Linux, Windows, macOS
Permissions Required: User
Version: 1.1
Created: 11 March 2020
Last Modified: 21 July 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
G0018 admin@338

admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.[1]

S0331 Agent Tesla

Agent Tesla has been executed through malicious e-mail attachments [2]

G0130 Ajax Security Team

Ajax Security Team has lured victims into executing malicious files.[3]

G0138 Andariel

Andariel has attempted to lure victims into enabling malicious macros within email attachments.[4]

S0584 AppleJeus

AppleJeus has required user execution of a malicious MSI installer.[5]

S0622 AppleSeed

AppleSeed can achieve execution through users running malicious file attachments distributed via email.[6]

G0099 APT-C-36

APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload.[7]

G0005 APT12

APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.[8][9]

G0073 APT19

APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.[10]

G0007 APT28

APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.[11][12]

G0016 APT29

APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. [13] [14][15]

G0013 APT30

APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.[16]

G0050 APT32

APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.[17][18][19][20][21]

G0064 APT33

APT33 has used malicious e-mail attachments to lure victims into executing malware.[22]

G0067 APT37

APT37 has sent spearphishing attachments attempting to get a user to open them.[23]

G0082 APT38

APT38 has attempted to lure victims into enabling malicious macros within email attachments.[24]

G0087 APT39

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.[25][26][27][28]

S0373 Astaroth

Astaroth has used malicious files including VBS, LNK, and HTML for execution.[29]

S0606 Bad Rabbit

Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.[30][31]

S0642 BADFLICK

BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.[32]

S0234 Bandook

Bandook has used lure documents to convince the user to enable macros.[33]

G0098 BlackTech

BlackTech has used e-mails with malicious documents to lure victims into installing malware.[34]

S0520 BLINDINGCAN

BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.[35]

S0635 BoomBox

BoomBox has gained execution through user interaction with a malicious file.[36]

G0060 BRONZE BUTLER

BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.[37][38]

S0482 Bundlore

Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.[39]

S0348 Cardinal RAT

Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[40]

S0465 CARROTBALL

CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.[41]

S0631 Chaes

Chaes requires the user to click on the malicious Word document to execute the next part of the attack.[42]

G0080 Cobalt Group

Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.[43][44]

S0527 CSPY Downloader

CSPY Downloader has been delivered via malicious documents with embedded macros.[45]

G0070 Dark Caracal

Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.[46]

G0012 Darkhotel

Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.[47][48]

G0079 DarkHydrus

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[49][50]

G0074 Dragonfly 2.0

Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open attachments.[51][52]

S0384 Dridex

Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.[53]

G0066 Elderwood

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.[54][55]

S0367 Emotet

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.[56][57][58]

S0634 EnvyScout

EnvyScout has been executed through malicious files attached to e-mails.[36]

G0137 Ferocious Kitten

Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.[59]

G0085 FIN4

FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).[60][61]

G0037 FIN6

FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.[62]

G0046 FIN7

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[63][64][65]

G0061 FIN8

FIN8 has used malicious e-mail attachments to lure victims into executing malware.[66][67][68]

G0101 Frankenstein

Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.[69]

G0084 Gallmaker

Gallmaker sent victims a lure document with a warning that asked victims to "enable content" for execution.[70]

G0047 Gamaredon Group

Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.[71][72]

G0078 Gorgon Group

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[73]

S0531 Grandoreiro

Grandoreiro has infected victims via malicious attachments.[74]

S0561 GuLoader

The GuLoader executable has been retrieved via embedded macros in malicious Word documents.[75]

S0499 Hancitor

Hancitor has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.[76]

G0126 Higaisa

Higaisa used malicious e-mail attachments to lure victims into executing LNK files.[77][78]

S0483 IcedID

IcedID has been executed through Word documents with malicious embedded macros.[79]

G0100 Inception

Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.[80][81][82][83]

G0136 IndigoZebra

IndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.[84]

G0119 Indrik Spider

Indrik Spider has attempted to get users to click on a malicious zipped file.[85]

S0260 InvisiMole

InvisiMole can deliver trojanized versions of software and documents, relying on user execution.[86]

S0528 Javali

Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.[29]

S0389 JCry

JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer. [87]

S0648 JSS Loader

JSS Loader has been executed through malicious attachments contained in spearphishing emails.[64]

S0585 Kerrdown

Kerrdown has gained execution through victims opening malicious files.[21][88]

S0526 KGH_SPY

KGH_SPY has been spread through Word documents containing malicious macros.[45]

G0094 Kimsuky

Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.[89][90][91][45][6]

G0032 Lazarus Group

Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[92]

G0065 Leviathan

Leviathan has sent spearphishing attachments attempting to get a user to click.[93][94]

S0447 Lokibot

Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.[95][96]

G0095 Machete

Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.[97][98][99][100]

G0059 Magic Hound

Magic Hound has attempted to lure victims into opening malicious email attachments.[101]

G0045 menuPass

menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.[102][103][104][105][106]

S0455 Metamorfo

Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.[107][108]

G0103 Mofang

Mofang's malicious spearphishing attachments required a user to open the file after receiving.[109]

G0021 Molerats

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.[110][111][112]

G0069 MuddyWater

MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[113][114][115][116][117][118][119][120]

G0129 Mustang Panda

Mustang Panda has sent malicious files requiring direct victim interaction to execute.[121][122][123][124]

G0019 Naikon

Naikon has convinced victims to open malicious attachments to execute malware.[125]

S0637 NativeZone

NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode.[36]

S0198 NETWIRE

NETWIRE has been executed through luring victims into opening malicious documents.[126][75][127]

G0133 Nomadic Octopus

Nomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.[128][129]

S0340 Octopus

Octopus has relied upon users clicking on a malicious attachment delivered through spearphishing.[129]

G0049 OilRig

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[130][131][132][133]

S0402 OSX/Shlayer

OSX/Shlayer relies on users mounting and executing a malicious DMG file.[134][135]

G0040 Patchwork

Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.[136][137]

G0068 PLATINUM

PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[138]

S0435 PLEAD

PLEAD has been executed via malicious e-mail attachments.[34]

S0428 PoetRAT

PoetRAT has used spearphishing attachments to infect victims.[139]

S0453 Pony

Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).[140]

G0056 PROMETHIUM

PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.[141][142]

S0650 QakBot

QakBot has gained execution through users opening malicious attachments.[143][144][145][146][147][148][149][150]

S0458 Ramsay

Ramsay has been executed through malicious e-mail attachments.[151]

G0075 Rancor

Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.[152]

S0496 REvil

REvil has been executed via malicious MS Word e-mail attachments.[153][154][155]

S0433 Rifdoor

Rifdoor has been executed from malicious Excel or Word documents containing macros.[156]

S0148 RTM

RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.[157]

G0048 RTM

RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.[158]

G0034 Sandworm Team

Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.[159][160]

G0104 Sharpshooter

Sharpshooter has sent malicious DOC and PDF files to targets so that they can be opened by a user.[161]

G0121 Sidewinder

Sidewinder has lured targets to click on malicious files to gain execution in the target environment.[162][163][164][165]

G0091 Silence

Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.[166][167][168]

S0390 SQLRat

SQLRat relies on users clicking on an embedded image to execute the scripts.[169]

S0491 StrongPity

StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.[141][142]

S0464 SYSCON

SYSCON has been executed by luring victims to open malicious e-mail attachments.[170]

G0062 TA459

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[171]

G0092 TA505

TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [172][173][174][175][176][177][178][179][180]

G0127 TA551

TA551 has prompted users to enable macros within spearphishing attachments to install malware.[181]

S0011 Taidoor

Taidoor has relied upon a victim to click on a malicious email attachment.[182]

G0089 The White Company

The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[183]

G0131 Tonto Team

Tonto Team has relied on user interaction to open their spearphishing attachments.[184]

G0134 Transparent Tribe

Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.[185][186][187][188][189]

S0266 TrickBot

TrickBot has attempted to get users to launch malicious documents to deliver its payload. [190][191]

G0081 Tropic Trooper

Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.[192]

S0263 TYPEFRAME

A Word document delivering TYPEFRAME prompts the user to enable macro execution.[193]

S0476 Valak

Valak has been executed via Microsoft Word documents containing malicious macros.[194][195][196]

G0107 Whitefly

Whitefly has used malicious .exe or .dll files disguised as documents or images.[197]

G0112 Windshift

Windshift has used e-mail attachments to lure victims into executing malicious code.[198]

G0102 Wizard Spider

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.[199][200]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. [201]

M1038 Execution Prevention

Application control may be able to prevent the running of executables masquerading as other files.

M1017 User Training

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Detection

ID Data Source Data Component
DS0022 File File Creation
DS0009 Process Process Creation

Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

References

  1. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  2. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  3. Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.
  4. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  5. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  6. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  7. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  8. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  9. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  10. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  11. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  12. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  13. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  14. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  15. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  16. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  17. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  18. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  19. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  20. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
  21. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  22. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  23. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  24. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  25. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  26. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  27. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  28. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  29. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  30. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  31. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  32. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  33. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  34. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  35. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  36. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  37. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  38. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  39. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  40. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  41. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  42. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  43. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  44. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  45. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  46. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  47. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  48. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  49. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  50. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  51. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  52. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  53. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  54. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  55. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
  56. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  57. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  58. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  59. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  60. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  61. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  62. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  63. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  64. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  65. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  66. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  67. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  68. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  69. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  70. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  71. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  72. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  73. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  74. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  75. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
  76. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  77. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  78. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  79. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  80. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  81. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  82. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  83. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  84. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
  85. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  86. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  87. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  88. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  89. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  90. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  91. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  92. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  93. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  94. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021.
  95. Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
  96. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  97. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  98. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  99. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  100. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  101. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
  1. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  2. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  3. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  4. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  5. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  6. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  7. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  8. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  9. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  10. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  11. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  12. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  13. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  14. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  15. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  16. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  17. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  18. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  19. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  20. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  21. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  22. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  23. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  24. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  25. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  26. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  27. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  28. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  29. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  30. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  31. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  32. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  33. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  34. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  35. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  36. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  37. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  38. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  39. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  40. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  41. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  42. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  43. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  44. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  45. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  46. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  47. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  48. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  49. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  50. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  51. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  52. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  53. Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
  54. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  55. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  56. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  57. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
  58. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  59. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  60. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  61. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  62. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  63. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  64. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
  65. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  66. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  67. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  68. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  69. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  70. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  71. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  72. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  73. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  74. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  75. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  76. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  77. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  78. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  79. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  80. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  81. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  82. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  83. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  84. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  85. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  86. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  87. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  88. Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
  89. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  90. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  91. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
  92. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  93. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  94. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  95. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  96. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  97. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.
  98. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  99. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  100. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.