1. Home
  2. Techniques
  3. Enterprise
  4. Phishing
  5. Spearphishing Link

Phishing: Spearphishing Link

ID Name
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
T1566.003 Spearphishing via Service

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to Steal Application Access Tokens, like OAuth tokens, in order to gain access to protected applications and information.[1]

Angreifer können Spearphishing-E-Mails mit einem bösartigen Link versenden, um sich Zugang zu den Systemen der Opfer zu verschaffen. Spearphishing mit einem Link ist eine spezielle Variante des Spearphishings. Sie unterscheidet sich von anderen Formen des Spearphishings dadurch, dass Links zum Herunterladen von in E-Mails enthaltener Malware verwendet werden, anstatt bösartige Dateien an die E-Mail selbst anzuhängen, um Abwehrmechanismen zu umgehen, die E-Mail-Anhänge überprüfen können. Spearphishing kann auch Social-Engineering-Techniken beinhalten, wie z.B. das Ausgeben als vertrauenswürdige Quelle.

Alle Formen von Spearphishing sind elektronisch übermittelte Social Engineering-Methoden, die auf eine bestimmte Person, ein Unternehmen oder eine Branche abzielen. In diesem Fall enthalten die bösartigen E-Mails Links. In der Regel werden die Links von Social-Engineering-Text begleitet und fordern den Benutzer auf, aktiv auf eine URL zu klicken oder sie zu kopieren und in einen Browser einzufügen, wobei die User Execution genutzt wird. Die besuchte Website kann den Webbrowser mit einem Exploit kompromittieren, oder der Benutzer wird aufgefordert, Anwendungen, Dokumente, Zip-Dateien oder sogar ausführbare Dateien herunterzuladen, je nachdem, unter welchem Vorwand die E-Mail verschickt wurde. Die Angreifer können auch Links einfügen, die direkt mit dem E-Mail-Leser interagieren sollen, einschliesslich eingebetteter Bilder, die das Endsystem direkt ausnutzen oder den Empfang einer E-Mail bestätigen sollen (d.h. Web Bugs/Web Beacons). Links können Benutzer auch zu bösartigen Anwendungen leiten, die darauf abzielen, Steal Application Access Tokens, wie OAuth-Tokens, zu stehlen, um Zugang zu geschützten Anwendungen und Informationen zu erhalten.(Zitat: Trend Micro Pawn Storm OAuth 2017)

Les adversaires peuvent envoyer des e-mails de spearphishing avec un lien malveillant dans le but d'accéder aux systèmes des victimes. Le spearphishing avec un lien est une variante spécifique du spearphishing. Elle diffère des autres formes de spearphishing en ce qu'elle utilise des liens pour télécharger les logiciels malveillants contenus dans les e-mails, au lieu de joindre les fichiers malveillants à l'e-mail lui-même, afin d'éviter les défenses qui peuvent inspecter les pièces jointes des e-mails. Le spearphishing peut également faire appel à des techniques d'ingénierie sociale, par exemple en se faisant passer pour une source fiable.

Toutes les formes de spearphishing sont de l'ingénierie sociale délivrée par voie électronique et ciblant une personne, une entreprise ou un secteur d'activité spécifique. Dans ce cas, les e-mails malveillants contiennent des liens. Généralement, les liens sont accompagnés d'un texte d'ingénierie sociale et exigent de l'utilisateur qu'il clique activement ou qu'il copie et colle une URL dans un navigateur, en exploitant [User Execution] (/techniques/T1204). Le site Web visité peut compromettre le navigateur Web à l'aide d'un exploit, ou l'utilisateur sera invité à télécharger des applications, des documents, des fichiers zip ou même des exécutables, selon le prétexte de l'e-mail en premier lieu. Les adversaires peuvent également inclure des liens destinés à interagir directement avec un lecteur d'e-mail, y compris des images intégrées destinées à exploiter directement le système final ou à vérifier la réception d'un e-mail (c'est-à-dire des web bugs/web beacons). Les liens peuvent également diriger les utilisateurs vers des applications malveillantes conçues pour voler des jetons d'accès aux applicationss, comme les jetons OAuth, afin d'accéder à des applications et des informations protégées.(Citation : Trend Micro Pawn Storm OAuth 2017)

Gli avversari possono inviare email di spearphishing con un link dannoso nel tentativo di accedere ai sistemi delle vittime. Lo spearphishing con un link è una variante specifica dello spearphishing. È diversa dalle altre forme di spearphishing in quanto impiega l'uso di link per scaricare malware contenuti nelle email, invece di allegare file malevoli all'email stessa, per evitare le difese che possono ispezionare gli allegati delle email. Lo spearphishing può anche implicare tecniche di ingegneria sociale, come fingersi una fonte fidata.

Tutte le forme di spearphishing sono ingegneria sociale consegnate elettronicamente e mirate ad un individuo, un'azienda o un settore specifico. In questo caso, le email malevole contengono link. Generalmente i link saranno accompagnati da un testo di ingegneria sociale e richiedono all'utente di cliccare attivamente o copiare e incollare un URL in un browser, sfruttando User Execution. Il sito visitato può compromettere il browser web usando un exploit, oppure all'utente verrà richiesto di scaricare applicazioni, documenti, file zip o anche eseguibili a seconda del pretesto dell'email in primo luogo. Gli avversari possono anche includere link destinati ad interagire direttamente con un lettore di email, incluse immagini incorporate destinate a sfruttare direttamente il sistema finale o a verificare la ricezione di un'email (es. web bugs/web beacons). I link possono anche indirizzare gli utenti ad applicazioni malevole progettate per Rubare Application Access Token, come i token OAuth, per ottenere accesso ad applicazioni e informazioni protette.(Citazione: Trend Micro Pawn Storm OAuth 2017)

Login
ID: T1566.002
Sub-technique of:  T1566
Tactic: Initial Access
Platforms: Google Workspace, Linux, Office 365, SaaS, Windows, macOS
CAPEC ID: CAPEC-163
Contributors: Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services); Mark Wee; Philip Winther; Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC); Shailesh Tiwary (Indian Army)
Version: 2.1
Created: 02 March 2020
Last Modified: 14 April 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has been distributed via spearphishing link.[2]
G0006 APT1

APT1 has sent spearphishing emails containing hyperlinks to malicious files.[3]
G0007 APT28

APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.[4][5][6]
G0016 APT29

APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[7][8]
G0022 APT3

APT3 has sent spearphishing emails containing malicious links.[9]
G0050 APT32

APT32 has sent spearphishing emails containing malicious links.[10][11][12][13][14]
G0064 APT33

APT33 has sent spearphishing emails containing links to .hta files.[15][16]
G0087 APT39

APT39 leveraged spearphishing emails with malicious links to initially compromise victims.[17][18]
S0534 Bazar

Bazar has been spread via emails with embedded malicious links.[19][20][21]
G0098 BlackTech

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[22]
G0080 Cobalt Group

Cobalt Group has sent emails with URLs pointing to malicious documents.[23][24]
G0074 Dragonfly 2.0

Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.[25]
G0066 Elderwood

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[26][27]
S0367 Emotet

Emotet has been delivered by phishing emails containing links. [28][29][30][31][32][33][34][34][35]
G0120 Evilnum

Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.[36]
G0085 FIN4

FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.[37][38]
G0046 FIN7

FIN7 has conducted broad phishing campaigns using malicious links.[39]
G0061 FIN8

FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[40]
S0531 Grandoreiro

Grandoreiro has been spread via malicious links embedded in e-mails.[41][42]
S0561 GuLoader

GuLoader has been spread in phishing campaigns using malicious web links.[43]
S0499 Hancitor

Hancitor has been delivered via phishing emails which contained malicious links.[44]
S0528 Javali

Javali has been delivered via malicious links embedded in e-mails.[45]
S0585 Kerrdown

Kerrdown has been distributed via e-mails containing a malicious link.[14]
G0094 Kimsuky

Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.[46][47]
G0065 Leviathan

Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[48][49]
G0095 Machete

Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.[50][51]
G0059 Magic Hound

Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.[52][53]
S0530 Melcoz

Melcoz has been spread through malicious links embedded in e-mails.[45]
G0103 Mofang

Mofang delivered spearphishing emails with malicious links included.[54]
G0021 Molerats

Molerats has sent phishing emails with malicious links included.[55]
G0069 MuddyWater

MuddyWater has sent targeted spearphishing e-mails with malicious links.[56][57]
G0129 Mustang Panda

Mustang Panda has delivered spearphishing links to their target.[58]
S0198 NETWIRE

NETWIRE has been spread via e-mail campaigns utilizing malicious links.[43]
G0014 Night Dragon

Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[59]
G0049 OilRig

OilRig has sent spearphising emails with malicious links to potential victims.[60]
G0040 Patchwork

Patchwork has used spearphishing with links to deliver files with exploits to initial victims. The group has also used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.[61][62][63][64]
S0453 Pony

Pony has been delivered via spearphishing emails which contained malicious links.[65]

S0650 QakBot

QakBot has spread through emails with malicious links.[66][67][68][69][70][71]
G0034 Sandworm Team

Sandworm Team has crafted phishing emails containing malicious hyperlinks.[72]
G0121 Sidewinder

Sidewinder has sent e-mails with malicious links often crafted for specific targets.[73][74]
S0646 SpicyOmelette

SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.[24]
G0092 TA505

TA505 has sent spearphishing emails containing malicious links.[75][76][77][78]
G0134 Transparent Tribe

Transparent Tribe has embedded links to malicious downloads in e-mails.[79][80]
S0266 TrickBot

TrickBot has been delivered via malicious links in phishing e-mails.[81]
G0010 Turla

Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[82]
S0476 Valak

Valak has been delivered via malicious links in e-mail.[83]
G0112 Windshift

Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[84]
G0102 Wizard Spider

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.[85][86]
G0128 ZIRCONIUM

ZIRCONIUM has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL's.[87][88][89]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1054 Software Configuration

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[90][91]
M1017 User Training

Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[90][91]

Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once User Execution occurs.

Die URL-Prüfung in E-Mails (einschliesslich der Erweiterung verkürzter Links) kann helfen, Links zu erkennen, die zu bekannten bösartigen Websites führen. Detonationskammern können verwendet werden, um diese Links zu erkennen und entweder automatisch zu diesen Seiten zu gehen, um festzustellen, ob sie potenziell bösartig sind, oder zu warten und den Inhalt zu erfassen, wenn ein Benutzer den Link besucht.

Filter, die auf DKIM+SPF oder einer Header-Analyse basieren, können dabei helfen, zu erkennen, ob der E-Mail-Absender gefälscht ist.(Zitat: Microsoft Anti Spoofing)(Zitat: ACSC Email Spoofing)

Da diese Technik in der Regel eine Benutzerinteraktion auf dem Endpunkt erfordert, finden viele der möglichen Entdeckungen statt, sobald die User Execution stattfindet.

L'inspection des URL dans les e-mails (y compris l'expansion des liens raccourcis) peut aider à détecter les liens menant à des sites malveillants connus. Les chambres de détonation peuvent être utilisées pour détecter ces liens et soit aller automatiquement sur ces sites pour déterminer s'ils sont potentiellement malveillants, soit attendre et capturer le contenu si un utilisateur visite le lien.

Le filtrage basé sur DKIM+SPF ou l'analyse des en-têtes peut aider à détecter lorsque l'expéditeur du courriel est usurpé.(Citation : Microsoft Anti Spoofing)(Citation : ACSC Email Spoofing)

Étant donné que cette technique implique généralement une interaction de l'utilisateur sur le terminal, la plupart des détections possibles ont lieu une fois que [User Execution] (/techniques/T1204) se produit.

L'ispezione degli URL all'interno delle email (inclusa l'espansione dei link abbreviati) può aiutare a rilevare i link che portano a siti noti come malevoli. Le camere di detonazione possono essere usate per rilevare questi link e andare automaticamente a questi siti per determinare se sono potenzialmente malevoli, oppure aspettare e catturare il contenuto se un utente visita il link.

Il filtraggio basato su DKIM+SPF o sull'analisi dell'intestazione può aiutare a rilevare quando il mittente di email è spoofing.(Citazione: Microsoft Anti Spoofing)(Citazione: ACSC Email Spoofing)

Poiché questa tecnica di solito implica l'interazione dell'utente sull'endpoint, molti dei possibili rilevamenti avvengono una volta che si verifica User Execution.

References

  1. Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
  2. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  3. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  4. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  5. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  6. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  7. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  8. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  9. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  10. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  11. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  12. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
  13. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  14. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  15. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  16. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  17. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  18. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  19. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  20. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  21. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  22. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  23. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  24. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  25. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  26. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  27. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
  28. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  29. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
  30. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
  31. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  32. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  33. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  34. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  35. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  36. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  37. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  38. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  39. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  40. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  41. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  42. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  43. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
  44. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  45. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  46. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  1. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  2. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  3. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021.
  4. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  5. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  6. Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
  7. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
  8. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  9. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  10. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  11. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  12. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
  13. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  14. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  15. Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
  16. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  17. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  18. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  19. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  20. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  21. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  22. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  23. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  24. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  25. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  26. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  27. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  28. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
  29. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  30. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  31. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  32. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  33. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  34. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  35. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  36. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  37. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  38. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.
  39. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  40. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  41. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  42. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  43. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  44. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  45. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.