Phishing: Spearphishing Attachment

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

Angreifer können Spearphishing-E-Mails mit einem bösartigen Anhang versenden, um sich Zugang zu den Systemen der Opfer zu verschaffen. Der Spearphishing-Anhang ist eine spezielle Variante des Spearphishings. Der Spearphishing-Anhang unterscheidet sich von anderen Formen des Spearphishings durch die Verwendung von Malware im Anhang einer E-Mail. Alle Formen von Spearphishing sind elektronisch übermittelte Social Engineering-Methoden, die auf eine bestimmte Person, ein Unternehmen oder eine Branche abzielen. In diesem Szenario hängen die Angreifer eine Datei an die Spearphishing-E-Mail an und nutzen in der Regel die User Execution, um die Ausführung zu erreichen. Spearphishing kann auch Social-Engineering-Techniken beinhalten, wie z. B. das Ausgeben als vertrauenswürdige Quelle.

Es gibt viele Möglichkeiten für den Anhang, z. B. Microsoft Office-Dokumente, ausführbare Dateien, PDFs oder archivierte Dateien. Nach dem Öffnen des Anhangs (und dem möglichen Übergehen von Schutzmechanismen) nutzt der Angreifer eine Sicherheitslücke aus oder wird direkt auf dem System des Benutzers ausgeführt. Der Text der Spearphishing-E-Mail versucht in der Regel, einen plausiblen Grund zu nennen, warum die Datei geöffnet werden sollte, und kann erklären, wie man den Systemschutz umgeht, um dies zu tun. Die E-Mail kann auch Anweisungen zur Entschlüsselung eines Anhangs enthalten, wie z. B. das Kennwort einer Zip-Datei, um den Schutz der E-Mail-Grenzen zu umgehen. Angreifer manipulieren häufig Dateierweiterungen und Symbole, um angehängte ausführbare Dateien als Dokumentdateien erscheinen zu lassen, oder Dateien, die eine Anwendung ausnutzen, als Datei für eine andere Anwendung.

Les adversaires peuvent envoyer des e-mails de spearphishing avec une pièce jointe malveillante dans le but d'accéder aux systèmes des victimes. Le spearphishing en pièce jointe est une variante spécifique du spearphishing. Le spearphishing en pièce jointe diffère des autres formes de spearphishing en ce qu'il utilise un logiciel malveillant joint à un e-mail. Toutes les formes de spearphishing sont de l'ingénierie sociale délivrée par voie électronique et ciblant une personne, une entreprise ou un secteur spécifique. Dans ce scénario, les adversaires joignent un fichier à l'e-mail de spearphishing et s'appuient généralement sur [User Execution] (/techniques/T1204) pour l'exécuter. Le spearphishing peut également impliquer des techniques d'ingénierie sociale, comme se faire passer pour une source de confiance.

Il existe de nombreuses options pour la pièce jointe, comme des documents Microsoft Office, des exécutables, des PDF ou des fichiers archivés. En ouvrant la pièce jointe (et en cliquant éventuellement sur des protections antérieures), la charge utile de l'adversaire exploite une vulnérabilité ou s'exécute directement sur le système de l'utilisateur. Le texte de l'e-mail de spearphishing tente généralement de donner une raison plausible pour laquelle le fichier devrait être ouvert, et peut expliquer comment contourner les protections du système pour le faire. L'e-mail peut également contenir des instructions sur la manière de décrypter une pièce jointe, comme le mot de passe d'un fichier zip, afin d'échapper aux défenses des limites de l'e-mail. Les adversaires manipulent fréquemment les extensions de fichiers et les icônes afin que les exécutables joints semblent être des fichiers de documents, ou que les fichiers exploitant une application semblent être un fichier pour une autre application.

Gli avversari possono inviare email di spearphishing con un allegato malevolo nel tentativo di ottenere l'accesso ai sistemi delle vittime. Lo spearphishing attachment è una variante specifica dello spearphishing. Lo spearphishing attachment è diverso dalle altre forme di spearphishing in quanto impiega l'uso di malware allegato ad un'email. Tutte le forme di spearphishing sono ingegneria sociale consegnata elettronicamente e mirata ad un individuo, un'azienda o un settore specifico. In questo scenario, gli avversari allegano un file all'email di spearphishing e di solito si basano su User Execution per ottenere l'esecuzione. Lo spearphishing può anche coinvolgere tecniche di ingegneria sociale, come ad esempio fingersi una fonte fidata.

Ci sono molte opzioni per l'allegato come documenti Microsoft Office, eseguibili, PDF o file archiviati. Aprendo l'allegato (e potenzialmente cliccando oltre le protezioni), il payload dell'avversario sfrutta una vulnerabilità o viene eseguito direttamente sul sistema dell'utente. Il testo dell'email di spearphishing di solito cerca di dare una ragione plausibile per cui il file dovrebbe essere aperto e può spiegare come aggirare le protezioni del sistema per farlo. L'email può anche contenere istruzioni su come decriptare un allegato, come la password di un file zip, per eludere le difese di confine dell'email. Gli avversari manipolano spesso le estensioni dei file e le icone per far sembrare che gli eseguibili allegati siano file di documenti o che i file che sfruttano un'applicazione sembrino file per un'altra.

Login
ID: T1566.001
Sub-technique of:  T1566
Tactic: Initial Access
Platforms: Linux, Windows, macOS
CAPEC ID: CAPEC-163
Contributors: Philip Winther
Version: 2.2
Created: 02 March 2020
Last Modified: 18 October 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0018 admin@338

admin@338 has sent emails with malicious Microsoft Office documents attached.[1]

S0331 Agent Tesla

The primary delivered mechaism for Agent Tesla is through email phishing messages.[2]

G0130 Ajax Security Team

Ajax Security Team has used personalized spearphishing attachments.[3]

G0138 Andariel

Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.[4][5]

S0622 AppleSeed

AppleSeed has been distributed to victims through malicious e-mail attachments.[6]

G0099 APT-C-36

APT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.[7]

G0006 APT1

APT1 has sent spearphishing emails containing malicious attachments.[8]

G0005 APT12

APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.[9][10]

G0073 APT19

APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.[11]

G0007 APT28

APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.[12][13][14][15][16][17][18]

G0016 APT29

APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[19][20][21][22]

G0013 APT30

APT30 has used spearphishing emails with malicious DOC attachments.[23]

G0050 APT32

APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.[24][25][26][27][28][29]

G0064 APT33

APT33 has sent spearphishing e-mails with archive attachments.[30]

G0067 APT37

APT37 delivers malware using spearphishing emails with malicious HWP attachments.[31][32][33]

G0082 APT38

APT38 has conducted spearphishing campaigns using malicious email attachments.[34]

G0087 APT39

APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.[35][36][37]

G0096 APT41

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[38]

S0642 BADFLICK

BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.[39]

S0234 Bandook

Bandook is delivered via a malicious Word document inside a zip file.[40]

G0098 BlackTech

BlackTech has used spearphishing e-mails with malicious documents to deliver malware.[41]

S0520 BLINDINGCAN

BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.[42]

G0060 BRONZE BUTLER

BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.[43][44]

S0631 Chaes

Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.[45]

G0080 Cobalt Group

Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.[46][47][48][49][50][51][52][53]

G0012 Darkhotel

Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.[54][55]

G0079 DarkHydrus

DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[56][57][58]

G0074 Dragonfly 2.0

Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.[59][60]

G0066 Elderwood

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[61][62]

S0367 Emotet

Emotet has been delivered by phishing emails containing attachments. [63][64][65][66][67][68][69][70][71]

S0634 EnvyScout

EnvyScout has been distributed via spearphishing as an email attachment.[72]

G0137 Ferocious Kitten

Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.[73]

G0085 FIN4

FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.[74][75]

G0037 FIN6

FIN6 has targeted victims with e-mails containing malicious attachments.[76]

G0046 FIN7

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[77][78][79][80][81]

G0061 FIN8

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[82][83][84]

G0101 Frankenstein

Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.[85]

G0084 Gallmaker

Gallmaker sent emails with malicious Microsoft Office documents attached.[86]

G0047 Gamaredon Group

Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.[87][88]

G0078 Gorgon Group

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.[89]

S0499 Hancitor

Hancitor has been delivered via phishing emails with malicious attachments.[90]

G0126 Higaisa

Higaisa has sent spearphishing emails containing malicious attachments.[91][92]

S0483 IcedID

IcedID has been delivered via phishing e-mails with malicious attachments.[93]

G0100 Inception

Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.[94][95][96][97]

G0136 IndigoZebra

IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.[98][99]

S0528 Javali

Javali has been delivered as malicious e-mail attachments.[100]

S0648 JSS Loader

JSS Loader has been delivered by phishing emails containing malicious Microsoft Excel attachments.[80]

S0585 Kerrdown

Kerrdown has been distributed through malicious e-mail attachments.[29]

G0094 Kimsuky

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[101][102][103][104][105][6]

G0032 Lazarus Group

Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.[106]

G0065 Leviathan

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[107][108]

S0447 Lokibot

Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.[109]

G0095 Machete

Machete has delivered spearphishing emails that contain a zipped file with malicious contents.[110][111][112]

G0045 menuPass

menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.[113][114][115][116]

S0455 Metamorfo

Metamorfo has been delivered to victims via emails with malicious HTML attachments.[117][118]

G0103 Mofang

Mofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.[119]

G0021 Molerats

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.[120][121][122]

G0069 MuddyWater

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[123][124][125][126][127][128]

G0129 Mustang Panda

Mustang Panda has used spearphishing attachments to deliver initial access payloads.[129][130]

G0019 Naikon

Naikon has used malicious e-mail attachments to deliver malware.[131]

S0198 NETWIRE

NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.[132][133]

G0133 Nomadic Octopus

Nomadic Octopus has targeted victims with spearphishing emails containing malicious attachments.[134][135]

S0346 OceanSalt

OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.[136]

S0340 Octopus

Octopus has been delivered via spearsphishing emails.[135]

G0049 OilRig

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[137][138][139]

G0040 Patchwork

Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.[140][141][142][143]

G0068 PLATINUM

PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.[144]

S0428 PoetRAT

PoetRAT was distributed via malicious Word documents.[145]

S0453 Pony

Pony has been delivered via spearphishing attachments.[146]

S0650 QakBot

QakBot has spread through emails with malicious attachments.[147][148][149][150][151][152][153]

S0458 Ramsay

Ramsay has been distributed through spearphishing emails with malicious attachments.[154]

G0075 Rancor

Rancor has attached a malicious document to an email to gain initial access.[155]

S0496 REvil

REvil has been distributed via malicious e-mail attachments including MS Word Documents.[156][157][158][159][160]

S0433 Rifdoor

Rifdoor has been distributed in e-mails with malicious Excel or Word documents.[161]

S0148 RTM

RTM has been delivered via spearphishing attachments disguised as PDF documents.[162]

G0048 RTM

RTM has used spearphishing attachments to distribute its malware.[163]

G0034 Sandworm Team

Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.[164][165][166][167]

G0104 Sharpshooter

Sharpshooter has sent malicious attachments via emails to targets.[168]

G0121 Sidewinder

Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.[169]

G0091 Silence

Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. [170][171][172]

G0062 TA459

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[173]

G0092 TA505

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.[174][175][176][177][178][179][180][181][182]

G0127 TA551

TA551 has sent spearphishing attachments with password protected ZIP files.[183][184][185]

S0011 Taidoor

Taidoor has been delivered through spearphishing emails.[186]

G0089 The White Company

The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.[187]

G0131 Tonto Team

Tonto Team has delivered payloads via spearphishing attachments.[188]

G0134 Transparent Tribe

Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.[189][190][191][192][193]

S0266 TrickBot

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[194]

G0081 Tropic Trooper

Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.[195][196][197][198][199]

S0476 Valak

Valak has been delivered via spearphishing e-mails with password protected ZIP files.[183]

G0112 Windshift

Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.[200]

G0102 Wizard Spider

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.[201][202]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can also automatically quarantine suspicious files.

M1031 Network Intrusion Prevention

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.

M1021 Restrict Web-Based Content

Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments.

M1054 Software Configuration

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[203][204]

M1017 User Training

Users can be trained to identify social engineering techniques and spearphishing emails.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[203][204]

Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution or usage of malicious scripts.

Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[205]

Netzwerk-Intrusion-Detection-Systeme und E-Mail-Gateways können eingesetzt werden, um Spearphishing mit bösartigen Anhängen während der Übertragung zu erkennen. Detonationskammern können ebenfalls eingesetzt werden, um bösartige Anhänge zu identifizieren. Die Lösungen können signatur- und verhaltensbasiert sein, aber die Angreifer können Anhänge so konstruieren, dass sie diese Systeme umgehen.

Filter, die auf DKIM+SPF oder einer Header-Analyse basieren, können dabei helfen, zu erkennen, wenn der E-Mail-Absender gefälscht ist.(Zitat: Microsoft Anti Spoofing)(Zitat: ACSC Email Spoofing)

Anti-Virus kann potentiell bösartige Dokumente und Anhänge erkennen, wenn sie gescannt werden, um auf dem E-Mail-Server oder auf dem Computer des Benutzers gespeichert zu werden. Die Endpunkt- oder Netzwerkerkennung kann potenziell bösartige Ereignisse erkennen, sobald der Anhang geöffnet wird (z. B. ein Microsoft Word- oder PDF-Dokument, das ins Internet gelangt oder die Powershell.exe startet), um Techniken wie [Exploitation for Client Execution] (/techniques/T1203) oder die Verwendung bösartiger Skripte zu erkennen.

Überwachen Sie auf verdächtige Nachfolgeprozesse, die von Microsoft Office und anderer Produktivitätssoftware gestartet werden.(Zitat: Elastic - Koadiac Detection with EQL)

Les systèmes de détection d'intrusion dans les réseaux et les passerelles de messagerie peuvent être utilisés pour détecter le spearphishing avec des pièces jointes malveillantes en transit. Les chambres de détonation peuvent également être utilisées pour identifier les pièces jointes malveillantes. Les solutions peuvent être basées sur les signatures et le comportement, mais les adversaires peuvent construire les pièces jointes de manière à éviter ces systèmes.

Le filtrage basé sur DKIM+SPF ou l'analyse des en-têtes peut aider à détecter quand l'expéditeur du courriel est usurpé.(Citation : Microsoft Anti Spoofing)(Citation : ACSC Email Spoofing)

L'antivirus peut potentiellement détecter les documents et les pièces jointes malveillants lorsqu'ils sont analysés pour être stockés sur le serveur de messagerie ou sur l'ordinateur de l'utilisateur. La détection des points finaux ou du réseau peut potentiellement détecter les événements malveillants une fois que la pièce jointe est ouverte (comme un document Microsoft Word ou PDF qui se connecte à Internet ou qui génère Powershell.exe) pour des techniques telles que l'[Exploitation for Client Execution] (/techniques/T1203) ou l'utilisation de scripts malveillants.

Surveillez la création de processus descendants suspects à partir de Microsoft Office et d'autres logiciels de productivité.(Citation : Elastic - Koadiac Detection with EQL)

I sistemi di rilevamento delle intrusioni di rete e i gateway di posta elettronica possono essere utilizzati per rilevare lo spearphishing con allegati malevoli in transito. Anche le camere di detonazione possono essere utilizzate per identificare gli allegati malevoli. Le soluzioni possono essere basate sulla firma e sul comportamento, ma gli avversari possono costruire gli allegati in modo da evitare questi sistemi.

Il filtraggio basato su DKIM+SPF o sull'analisi dell'intestazione può aiutare a rilevare quando il mittente di email è spoofing.(Citazione: Microsoft Anti Spoofing)(Citazione: ACSC Email Spoofing)

L'antivirus può potenzialmente rilevare documenti ed allegati malevoli mentre vengono scansionati per essere archiviati sul server di posta elettronica o sul computer dell'utente. Endpoint sensing o network sensing possono potenzialmente rilevare eventi malevoli una volta che l'allegato viene aperto (come un documento Microsoft Word o PDF che raggiunge internet o che genera Powershell.exe) per tecniche come Exploitation for Client Execution o l'uso di script malevoli.

Monitorare la generazione di processi discendenti sospetti da Microsoft Office e altri software di produttività.(Citazione: Elastic - Koadiac Detection with EQL)

References

  1. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  2. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  3. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  4. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  5. Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021.
  6. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  7. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  8. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  9. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  10. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  11. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  12. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  13. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  14. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  15. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  16. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  17. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  18. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  19. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  20. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  21. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  22. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  23. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  24. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  25. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  26. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  27. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  28. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
  29. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  30. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  31. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  32. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  33. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  34. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  35. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  36. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  37. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  38. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  39. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  40. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  41. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  42. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  43. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  44. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  45. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  46. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  47. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  48. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  49. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  50. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
  51. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
  52. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  53. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  54. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  55. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  56. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  57. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.
  58. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  59. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  60. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  61. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  62. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
  63. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
  64. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  65. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  66. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  67. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  68. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  69. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  70. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  71. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  72. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  73. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  74. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  75. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  76. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  77. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  78. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  79. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  80. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  81. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  82. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  83. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  84. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  85. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  86. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  87. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  88. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  89. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  90. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  91. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  92. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  93. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  94. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  95. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  96. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  97. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  98. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
  99. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  100. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  101. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  102. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  103. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  1. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  2. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  3. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  4. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  5. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021.
  6. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  7. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  8. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  9. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  11. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  12. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  13. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  14. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  15. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  16. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  17. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  18. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  19. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  20. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  21. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  22. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  23. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  24. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  25. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  26. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  27. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  28. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  29. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
  30. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  31. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  32. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  33. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  34. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  35. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  36. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  37. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  38. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  39. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  40. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  41. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  42. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  43. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  44. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  45. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  46. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  47. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  48. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  49. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  50. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  51. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  52. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  53. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  54. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  55. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  56. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  57. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  58. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  59. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  60. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
  61. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  62. US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.
  63. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  64. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  65. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  66. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  67. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  68. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  69. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  70. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  71. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  72. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  73. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  74. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  75. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  76. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  77. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  78. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  79. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  80. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  81. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  82. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
  83. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  84. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  85. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  86. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  87. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  88. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  89. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  90. Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
  91. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  92. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  93. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  94. Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019.
  95. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
  96. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  97. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.
  98. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  99. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  100. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  101. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
  102. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.