Table of Content
...

💼 Admin@338 - Group Overview 🇨🇳
...

📜 Description:
...

Admin@338, also known as Temper Panda, is a China-based cyber threat group. This APT group has been active since at least 2014 and is primarily involved in information theft and espionage 🕵️. They have a history of using newsworthy events as lures to deliver malware 💻. Their targets have largely been organizations involved in financial 💰, economic 📈, and trade policy 🌐. The group has shown a particular interest in political and economic issues in Hong Kong 🇭🇰 and China 🇨🇳, targeting Hong Kong media companies 📰 and pro-democracy movements 🗳️.

💡 Motivation:
...

The primary motivation of Admin@338 appears to be espionage 📄, with a focus on collecting sensitive information 📊 from targeted organizations 🏢. Their activities suggest an intent to gather intelligence related to financial, economic, and trade policies, as well as political movements 🗳️, especially those related to Hong Kong's pro-democracy activities.

📛 Names:
...

Admin@338 is known by several aliases 🏷️, including Temper Panda 🐼, Team338, and Magnesium. These names have been attributed to the group by various cybersecurity organizations and researchers.

🌍 Location:
...

The group is believed to be based in China 🇨🇳.

📅 First Seen:
...

Admin@338 was first observed in 2014 📆.

👀 Observed:
...

The group has been observed targeting sectors such as Defense 🛡️, Financial 💼, Government 🏛️, Media 📺, and Think Tanks 🧠. Geographically, their activities have been primarily focused on Hong Kong 🇭🇰 and the USA 🇺🇸.

Tools Used:

Admin@338 has used a variety of tools in their operations, including but not limited to:

  • Bozok
  • BUBBLEWRAP
  • LOWBALL
  • Poison Ivy
  • Techniques for 'Living off the Land' (utilizing existing software or system tools to conduct malicious activities)

Their use of these tools demonstrates a capability to employ both publicly available RATs and sophisticated, non-public backdoors for their operations.

The Admin@338 APT group, identified on the MITRE ATT&CK framework as G0018, employs a range of sophisticated techniques in their cyber operations. Here's a detailed look at some of the key techniques used by this group:

  • Account Discovery (T1087.001): Admin@338 actors have used commands following the exploitation of a machine with LOWBALL malware to enumerate user accounts. This includes commands like net user >> %temp%\download and net user /domain >> %temp%\download, which help them gather information about local and domain accounts on the compromised system.
  • Command and Scripting Interpreter: Windows Command Shell (T1059.003): After exploiting a machine with LOWBALL malware, the actors create a file containing a list of commands to be executed on the compromised computer. This technique allows them to perform various actions using the Windows command shell.
  • Exploitation for Client Execution (T1203): Admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158. This involves taking advantage of software vulnerabilities to execute arbitrary code.
  • File and Directory Discovery (T1083): The group uses commands to obtain information about files and directories after exploiting a machine. This includes commands like dir c:\ >> %temp%\download and similar commands for other directories, which helps them understand the file system layout and locate files of interest.
  • Masquerading: Match Legitimate Name or Location (T1036.005): Admin@338 actors have used commands to rename one of their tools to a benign file name, such as ren "%temp%\upload" audiodg.exe. This technique helps them evade detection by making their malicious tools appear legitimate.
  • Permission Groups Discovery: Local Groups (T1069.001): They use commands like net localgroup administrator >> %temp%\download following the exploitation of a machine with LOWBALL malware to list local groups. This helps them identify administrative groups and other permission sets on the compromised system.
  • Phishing: Spearphishing Attachment (T1566.001): Admin@338 has sent emails with malicious Microsoft Office documents attached. This spearphishing technique is a common method for initial access, tricking users into opening malicious attachments.
  • System Information Discovery (T1082): The actors use commands to obtain information about the operating system after exploiting a machine, such as ver >> %temp%\download and systeminfo >> %temp%\download. This provides them with detailed information about the compromised system.
  • System Network Configuration Discovery (T1016): They acquire information about local networks using commands like ipconfig /all >> %temp%\download after exploiting a machine.
  • System Network Connections Discovery (T1049): Admin@338 uses commands to display network connections, such as netstat -ano >> %temp%\download, which helps them understand the network environment of the compromised system.
  • System Service Discovery (T1007): They use commands like net start >> %temp%\download to obtain information about services running on the system.
  • User Execution: Malicious File (T1204.002): The group attempts to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails, a tactic that relies on user interaction to execute the malicious payload.

The Admin@338 APT group, as identified in the MITRE ATT&CK framework, uses a variety of software tools in their cyber operations. Here's a summary of the key software tools and the associated techniques they employ:

  • BUBBLEWRAP (S0043):
    • Techniques: Application Layer Protocol: Web Protocols, Non-Application Layer Protocol, System Information Discovery.
    • BUBBLEWRAP is a multifunctional tool used for various purposes, including web protocol communication and system information gathering.
  • ** 
    • Technique: System Network Configuration Discovery.
    • This common Windows utility is used by Admin@338 to discover network configuration details on compromised systems.
  • LOWBALL (S0042):
    • Techniques: Application Layer Protocol: Web Protocols, Ingress Tool Transfer, Web Service: Bidirectional Communication.
    • LOWBALL is a malware tool used for establishing web-based communication channels and transferring tools onto targeted systems.
  • Net (S0039):
    • Techniques: Account Discovery (Domain and Local Account), Create Account (Local and Domain Account), Indicator Removal (Network Share Connection Removal), Network Share Discovery, Password Policy Discovery, Permission Groups Discovery (Domain and Local Groups), Remote Services (SMB/Windows Admin Shares), Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services (Service Execution), System Time Discovery.
    • The Net utility is used extensively for a range of activities from account discovery to system service manipulation.
  • netstat (S0104):
    • Technique: System Network Connections Discovery.
    • Admin@338 uses netstat to discover network connections on compromised systems, aiding in their reconnaissance efforts.
  • PoisonIvy (S0012):
    • Techniques: Application Window Discovery, Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Active Setup), Command and Scripting Interpreter (Windows Command Shell), Create or Modify System Process (Windows Service), Data from Local System, Data Staged (Local Data Staging), Encrypted Channel (Symmetric Cryptography), Ingress Tool Transfer, Input Capture (Keylogging), Modify Registry, Obfuscated Files or Information, Process Injection (Dynamic-link Library Injection), Rootkit.
    • PoisonIvy is a well-known Remote Access Trojan (RAT) used for a wide range of malicious activities, from data theft to system manipulation.
  • Systeminfo (S0096):
    • Technique: System Information Discovery.
    • This tool is used to gather detailed information about the operating system and hardware configurations of compromised systems.

In summary, Admin@338 is a sophisticated cyber espionage group, primarily focusing on political and economic intelligence gathering, with a strategic emphasis on targets in Hong Kong and the United States. Their operations, marked by a diverse array of cyber tools and techniques, underscore their significant role in the realm of cyber threats and espionage. Demonstrating a highly sophisticated approach, Admin@338 leverages various methods to infiltrate, explore, and extract valuable information from their targets, showcasing their adeptness in navigating and exploiting digital environments for espionage purposes.

🌐 Ajax Security Team - Group Overview 🇮🇷
...

📜 Description:
...

Ajax Security Team (AST), active since at least 2010, is a cyber threat group believed to be operating out of Iran 🇮🇷. Initially known for website defacement operations, by 2014, AST transitioned to malware-based cyber espionage campaigns 💻. Their primary targets have been the US defense industrial base 🛡️ and Iranian users of anti-censorship technologies 🌐. The group is notably associated with Operation Saffron Rose.

💡 Motivation:
...

Ajax Security Team's shift from website defacement to cyber espionage indicates a strategic evolution in their objectives 📄. Their focus on the US defense industry 🏢 and anti-censorship users in Iran 🇮🇷 suggests motivations rooted in political and strategic espionage, likely aimed at gaining intelligence 🕵️ and exerting control over information flow 🌐.

📛 Names:
...

Apart from Ajax Security Team, the group is associated with several other names 🏷️, including Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, and Operation Saffron Rose. These aliases reflect the diverse nature of their operations and campaigns.

🌍 Location:
...

The group is believed to be based in Iran 🇮🇷, aligning with their targeting patterns and the geopolitical interests reflected in their activities 🌐.

📅 First Seen:
...

AST's activities date back to at least 2010 📆, marking over a decade of their presence in the cyber threat landscape.

👀 Observed Activities:
...

Ajax Security Team has conducted operations against the US defense industry 🛡️ and energy sectors of Middle Eastern countries 🏭, including corporations like Saudi Aramco and Qatar's RasGas. Their shift to more sophisticated cyber espionage tactics marks a significant evolution in their operational capabilities 🌐.

Tools Used:

  • Stealer: Developed by AST, Stealer is a powerful spyware capable of stealing sensitive information, including keystrokes and screenshots. It stores the data on the victim's computer before sending it to a command and control (C2) server.
  • Havij: An automated SQL injection tool distributed by ITSecTeam, an Iranian security company. Released in 2010, Havij is known for its high success injection rate of over 95%. It offers both free and commercial editions and is considered a forerunner of automated SQL injection tools.

    Techniques Used by Ajax Security Team:

  • Credentials from Password Stores: Credentials from Web Browsers (T1555.003):
    • The group has used FireMalv, a custom-developed malware, to collect passwords from the Firefox browser storage. This technique involves accessing and extracting stored credentials from web browsers.
  • Ingress Tool Transfer (T1105):
    • Ajax Security Team has utilized Wrapper/Gholee, another custom-developed malware, which is capable of downloading additional malware onto the infected system. This technique is crucial for establishing a foothold and expanding control within the target system.
  • Input Capture: Keylogging (T1056.001):
    • The group has deployed CWoolger and MPK, custom-developed malware, to record all keystrokes on an infected system. Keylogging is a common method for capturing sensitive information, including passwords and other confidential data.
  • Phishing: Spearphishing Attachment (T1566.001):
    • Personalized spearphishing attachments have been used by Ajax Security Team. This method involves sending targeted emails with malicious attachments to trick victims into compromising their systems.
  • Phishing: Spearphishing via Service (T1566.003):
    • The group has employed various social media channels to spearphish victims, using these platforms to deliver targeted phishing messages.
  • User Execution: Malicious File (T1204.002):
    • Victims have been lured by Ajax Security Team into executing malicious files. This technique relies on social engineering to convince users to run files that compromise their systems.

      Software Used by Ajax Security Team:

  • Havij (S0224):
    • Techniques: Exploit Public-Facing Application.
    • Havij is an automated SQL injection tool known for its high success rate in exploiting vulnerabilities in web applications. It's used to gain unauthorized access to databases through SQL injection.
  • sqlmap (S0225):
    • Techniques: Exploit Public-Facing Application.
    • Similar to Havij, sqlmap is another tool for automating the process of detecting and exploiting SQL injection flaws. It's used to compromise databases and extract data from them.

In summary, the Ajax Security Team employs a combination of custom-developed malware and well-known exploitation tools to conduct their cyber espionage activities. Their techniques range from sophisticated phishing operations to keylogging and exploiting web application vulnerabilities, demonstrating their capability to adapt and employ various methods for intelligence gathering and system compromise.

🌐 ALLANITE - Group Overview 🇷🇺
...

📜 Description:
...

ALLANITE, also known as Palmetto Fusion, is a cyber espionage group that focuses on accessing business and industrial control (ICS) networks 🏭. The group conducts reconnaissance 🕵️ and gathers intelligence, particularly in the United States 🇺🇸 and United Kingdom 🇬🇧 electric utility sectors ⚡. ALLANITE's operations are characterized by their focus on understanding operational environments and developing capabilities that could potentially disrupt electric utilities. However, their activities have so far been limited to information gathering without demonstrating any disruptive or damaging capabilities. The group is known for conducting malware-less operations 🦠, primarily leveraging legitimate and available tools in the Windows operating system 💻.

💡 Motivation:
...

The primary motivation of ALLANITE appears to be espionage 📄, with a specific interest in the electric utility sector ⚡. Their activities suggest an intent to understand and potentially develop capabilities to disrupt operations in this sector. The group's focus on maintaining access to ICS networks indicates a strategic interest in the operational aspects of electric utilities.

📛 Names:
...

ALLANITE is also known as Palmetto Fusion 🏷️.

🌍 Location:
...

ALLANITE is a suspected Russian 🇷🇺 cyber espionage group.

📅 First Seen:
...

ALLANITE has been active at least since May 2017 📆, as reported by the industrial cybersecurity firm Dragos.

👀 Observed:
...

ALLANITE has primarily targeted the electric utility sector within the United States 🇺🇸 and the United Kingdom 🇬🇧. Their tactics and techniques are reportedly similar to those of the Dragonfly group 🌐.

Tools Used:
...

ALLANITE uses email phishing campaigns and compromised websites, known as watering holes, to steal credentials and gain access to target networks. This includes collecting and distributing screenshots of industrial control systems. The group conducts operations without relying on traditional malware, instead using legitimate tools available in the Windows operating system. There are no specific malware families currently associated with ALLANITE.

techniques used by ALLANITE:

  • Drive-by Compromise (ICS T0817):
    • ALLANITE leverages watering hole attacks as a method to gain access to electric utilities. In these attacks, the group compromises websites frequently visited by their target audience. When users visit these infected sites, malware is silently downloaded onto their systems, providing ALLANITE with unauthorized access.
  • Screen Capture (ICS T0852):
    • The group has been identified collecting and distributing screenshots of ICS systems, such as Human-Machine Interfaces (HMIs). This technique allows them to visually capture and analyze information displayed on screens within the targeted industrial control systems, providing insights into operational details and potentially sensitive data.
  • Spearphishing Attachment (ICS T0865):
    • ALLANITE has utilized spearphishing emails to gain access to environments within the energy sector. These emails contain malicious attachments that, when opened, can install malware or provide backdoor access to the attackers. Spearphishing is a targeted approach, often using social engineering to trick specific individuals into compromising their systems.
  • Valid Accounts (ICS T0859):
    • The group also uses credentials collected through phishing and watering hole attacks. By obtaining legitimate user credentials, ALLANITE can gain unauthorized access to systems and networks while appearing as a legitimate user. This technique reduces the likelihood of detection and allows for deeper penetration into the targeted infrastructure.

These techniques demonstrate ALLANITE's sophisticated approach to cyber espionage, focusing on stealth and the effective use of social engineering and legitimate credentials to infiltrate and gather intelligence from critical infrastructure sectors. Their methods underscore the importance of robust cybersecurity measures in protecting against such advanced threat actors.

🇰🇵 Andariel - Group Overview
...

📜 Description:
...

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. The group is primarily focused on conducting destructive attacks against South Korean government agencies 🏛️, military organizations ⚔️, and various domestic companies 🏢. Additionally, Andariel has engaged in cyber financial operations targeting ATMs 💰, banks 🏦, and cryptocurrency exchanges 🪙. Their notable activities include Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. Andariel is considered a subset of the Lazarus Group 🕵️‍♂️ and is attributed to North Korea's Reconnaissance General Bureau 🏢. It's important to note that North Korean group definitions often overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking individual clusters or subgroups.

💡 Motivation:
...

Andariel's operations are motivated by both political and financial objectives. Their attacks against South Korean entities are likely driven by geopolitical tensions between North and South Korea 🌏. The cyber financial operations suggest a motive of financial gain 💸, particularly through attacks on financial institutions and cryptocurrency platforms.

📛 Names:
...

Andariel is primarily known by this name but is also recognized as a subset of the Lazarus Group 🏷️.

🌍 Location:
...

Andariel is a North Korean state-sponsored group 🇰🇵.

📅 First Seen:
...

The group has been active since at least 2009 📆.

👀 Observed:
...

Andariel has been observed targeting South Korean government agencies, military organizations, domestic companies, ATMs, banks, and cryptocurrency exchanges 🏛️⚔️🏢💰🏦🪙. Their operations have included both destructive attacks and cyber financial crimes.

🛠️ Tools Used:
...

Specific tools used by Andariel were not detailed in the provided source. However, given their affiliation with the Lazarus Group and the nature of their operations, it is likely that they use a range of sophisticated cyber tools and techniques for both destructive attacks and financial theft 💻.

Techniques Used by Andariel:
...

  • Data from Local System (T1005): Andariel has been known to collect a large number of files from compromised network systems for later extraction.
  • Drive-by Compromise (T1189): The group uses watering hole attacks, often with zero-day exploits, to gain initial access to victims within specific IP ranges.
  • Exploitation for Client Execution (T1203): Andariel exploits numerous ActiveX vulnerabilities, including zero-days, for executing malicious code on victim systems.
  • Gather Victim Host Information: Software (T1592.002): They insert malicious scripts within compromised websites to collect information such as browser type, system language, Flash Player version, and more.
  • Gather Victim Network Information: IP Addresses (T1590.005): The group's watering hole attacks are tailored to specific IP address ranges.
  • Ingress Tool Transfer (T1105): Andariel downloads additional tools and malware onto compromised hosts.
  • Obfuscated Files or Information: Steganography (T1027.003): The group has hidden malicious executables within PNG files.
  • Obtain Capabilities: Malware (T1588.001): They use a variety of publicly available remote access Trojans (RATs) for their operations.
  • Phishing: Spearphishing Attachment (T1566.001): Andariel conducts spearphishing campaigns with malicious Word or Excel attachments.
  • Process Discovery (T1057): The group uses the tasklist command to enumerate processes and find specific strings.
  • System Network Connections Discovery (T1049): Andariel uses the netstat -naop tcp command to display TCP connections on a victim's machine.
  • User Execution: Malicious File (T1204.002): They attempt to lure victims into enabling malicious macros within email attachments.

    Software Used by Andariel:

  • gh0st RAT (S0032):
    • Techniques: This RAT is used for a range of activities including boot or logon autostart execution, command and scripting interpreter, creating or modifying system processes, data encoding, deobfuscating/decoding information, dynamic resolution, encrypted channels, hijack execution flow, indicator removal, ingress tool transfer, input capture, process discovery, process injection, query registry, screen capture, shared modules, system information discovery, and more.
  • Rifdoor (S0433):
    • Techniques: Rifdoor is employed for boot or logon autostart execution, encrypted channels, obfuscated files or information, phishing via spearphishing attachments, system information discovery, system network configuration discovery, system owner/user discovery, and user execution of malicious files.

In summary, Andariel's cyber operations are characterized by a diverse range of sophisticated techniques and software tools. These include exploiting vulnerabilities, conducting spearphishing campaigns, using steganography for obfuscation, and employing RATs like gh0st RAT and Rifdoor. Their approach demonstrates a high level of sophistication and adaptability in executing cyber espionage and cyber warfare activities.

🐉 Aoqin Dragon: A Suspected Chinese Cyber Espionage Threat Group
...

📜 Description:
...

Aoqin Dragon is a cyber espionage group suspected to be of Chinese origin 🇨🇳. Active since at least 2013, they have primarily targeted government 🏛️, education 🎓, and telecommunication organizations 📡 in Australia 🇦🇺, Cambodia 🇰🇭, Hong Kong 🇭🇰, Singapore 🇸🇬, and Vietnam 🇻🇳. The group is known for its sophisticated cyber operations, focusing on espionage 🕵️‍♂️ and information theft 💼. Aoqin Dragon is noted for its use of document exploits 📄 and fake removable devices, such as USB drives 🖇️, for initial access into target systems.

💡 Motivation:
...

The primary motivation of Aoqin Dragon appears to be espionage 🕵️‍♂️, with a focus on collecting sensitive information 📰 from targeted organizations. Their activities suggest an intent to gather intelligence related to government, education, and telecommunication sectors 📚📡 in Southeast Asia and Australia.

📛 Names:
...

Aoqin Dragon is also potentially associated with UNC94, based on similarities in malware, infrastructure, and targets 🏷️.

🌍 Location:
...

The group is believed to be based in China 🇨🇳.

📅 First Seen:
...

Aoqin Dragon has been active since at least 2013 📆.

👀 Observed:
...

The group has targeted a variety of sectors, with a particular focus on government, education, and telecommunication organizations 🏛️🎓📡 in Southeast Asia and Australia. Their operations are characterized by the use of sophisticated cyber techniques and tools 💻.

🛠️ Tools Used:
...

Aoqin Dragon employs a range of tools in their operations, including document exploits 📄 and fake removable devices like USB drives 🖇️. These tools are used for initial access and subsequent operations within the target networks 🏢💼.

Aoqin Dragon: Techniques and Software

Techniques Used by Aoqin Dragon:

  • Develop Capabilities: Malware (T1587.001): Aoqin Dragon has developed custom malware, including Mongall and Heyoka Backdoor, for their cyber operations.
  • Exploitation for Client Execution (T1203): The group has exploited vulnerabilities like CVE-2012-0158 and CVE-2010-3333 to execute code on targeted systems.
  • File and Directory Discovery (T1083): They have utilized scripts to identify specific file formats, including Microsoft Word documents, within target networks.
  • Lateral Tool Transfer (T1570): Aoqin Dragon spreads malware across target networks by copying modules into folders disguised as removable devices.
  • Masquerading: Match Legitimate Name or Location (T1036.005): The group has used fake icons, such as antivirus and external drive symbols, to disguise malicious payloads.
  • Obfuscated Files or Information: Software Packing (T1027.002): They have employed the Themida packer to obfuscate their malicious payloads, making detection more difficult.
  • Obtain Capabilities: Tool (T1588.002): Aoqin Dragon obtained and modified the Heyoka open-source exfiltration tool for their operations.
  • Replication Through Removable Media (T1091): The group has used a dropper that employs a worm infection strategy, using removable devices to penetrate secure network environments.
  • User Execution: Malicious File (T1204.002): They have tricked victims into opening weaponized documents and fake external drives or antivirus software to execute malicious payloads.

Software Used by Aoqin Dragon:

  • Heyoka Backdoor (S1027):
    • Techniques: Application Layer Protocol: DNS, Boot or Logon Autostart Execution, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal, Masquerading, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Process Injection, Protocol Tunneling, System Binary Proxy Execution, System Information Discovery, System Service Discovery, User Execution.
    • Heyoka Backdoor is a sophisticated tool used for various malicious activities, including data exfiltration and system information discovery.
  • Mongall (S1026):
    • Techniques: Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution, Data Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel, Exfiltration Over C2 Channel, Ingress Tool Transfer, Obfuscated Files or Information, Peripheral Device Discovery, Process Injection, System Binary Proxy Execution, System Information Discovery, User Execution.
    • Mongall is a multifunctional malware used for data theft, system information discovery, and maintaining persistent access in compromised systems.

Aoqin Dragon's use of these techniques and software tools demonstrates their sophisticated approach to cyber espionage. They leverage a variety of methods to infiltrate, explore, and extract valuable information from their targets, showcasing their adeptness in navigating and exploiting digital environments for espionage purposes.

Description:
...

APT-C-36, also known as Blind Eagle, is an Advanced Persistent Threat (APT) group suspected to originate from South America. Since April 2018, they have been actively targeting Colombian government institutions and significant corporations in the financial sector, petroleum industry, professional manufacturing, and others.

Motivation:
...

The primary motivation of APT-C-36 appears to be espionage and intelligence gathering, focusing on government and corporate entities. Their consistent targeting of specific sectors suggests a strategic intent to collect sensitive information for political or economic advantage.

Names:
...

  • APT-C-36
  • Blind Eagle

    Location:

    The group is suspected to be based in South America.

    First Seen:

    APT-C-36's activities were first observed in April 2018.

    Observed:

    The group has targeted Colombian government institutions and major corporations across various sectors, including finance, petroleum, and manufacturing.

    Tools Used:

    APT-C-36 has used a variety of tools in their campaigns, including:
  • Imminent Monitor RAT
  • LimeRAT

Techniques Used by APT-C-36:
...

  • Command and Scripting Interpreter: Visual Basic (T1059.005): Embedding VBScript within malicious Word documents that execute upon opening.
  • Ingress Tool Transfer (T1105): Downloading binary data from a specified domain after opening a malicious document.
  • Masquerading: Masquerade Task or Service (T1036.004): Disguising scheduled tasks as those used by Google.
  • Non-Standard Port (T1571): Using port 4050 for C2 communications.
  • Obfuscated Files or Information (T1027): Using ConfuserEx to obfuscate variants of Imminent Monitor, compress payloads, and password-protect email attachments for evasion.
  • Obtain Capabilities: Tool (T1588.002): Utilizing a modified variant of Imminent Monitor.
  • Phishing: Spearphishing Attachment (T1566.001): Employing spearphishing emails with password-protected RAR attachments.
  • Scheduled Task/Job: Scheduled Task (T1053.005): Using macro functions to set scheduled tasks, disguised as those used by Google.
  • User Execution: Malicious File (T1204.002): Prompting victims to accept macros to execute the payload. Software Used by APT-C-36 (Blind Eagle)

    Imminent Monitor (ID: S0434)

    Imminent Monitor is a sophisticated Remote Access Trojan (RAT) used by APT-C-36 in their cyber operations. This tool exhibits a wide array of capabilities, making it a versatile choice for the group's espionage activities. The key techniques associated with Imminent Monitor include:
  • Audio Capture: Ability to record audio from the compromised system's microphone.
  • Command and Scripting Interpreter: Executing commands and scripts for various malicious purposes.
  • Credentials from Password Stores: Credentials from Web Browsers: Extracting stored credentials from web browsers.
  • Deobfuscate/Decode Files or Information: Unraveling obfuscated data or files to reveal their true content.
  • Exfiltration Over C2 Channel: Transmitting stolen data back to the command and control (C2) server.
  • File and Directory Discovery: Scanning the compromised system to locate files and directories of interest.
  • Hide Artifacts: Hidden Files and Directories: Concealing files and directories to evade detection.
  • Impair Defenses: Disable or Modify Tools: Disabling or altering security tools to prevent detection.
  • Indicator Removal: File Deletion: Deleting files to remove evidence of the intrusion.
  • Input Capture: Keylogging: Recording keystrokes to capture sensitive information like passwords and other credentials.
  • Native API: Using native system application programming interfaces for various malicious activities.
  • Obfuscated Files or Information: Employing techniques to make files or information difficult to analyze.
  • Process Discovery: Identifying and analyzing running processes on the compromised system.
  • Remote Services: Remote Desktop Protocol: Utilizing RDP for remote access and control over the compromised system.
  • Resource Hijacking: Misusing system resources for malicious purposes, such as cryptocurrency mining.
  • Video Capture: Recording video from the compromised system's camera.

Imminent Monitor's diverse functionalities enable APT-C-36 to conduct comprehensive espionage operations, ranging from data theft to surveillance. Its ability to remain undetected and manipulate system processes makes it a potent tool for cyber espionage campaigns.

APT1 (Advanced Persistent Threat 1) 🇨🇳
...

Description:
...

APT1, also known as Comment Crew or Comment Group, is a cyber espionage group believed to be associated with the Chinese military. This group is known for its sophisticated cyber operations and has been implicated in numerous cyber espionage campaigns targeting a wide range of industries and government entities around the world. 🕵️‍♂️💼🏢🌍

Motivation:
...

APT1's primary motivation appears to be cyber espionage, with a focus on intellectual property theft and gaining strategic advantages in various industries. Their activities suggest an intent to gather sensitive information for economic and political gain. 💻💰📈📊🏭🏛️

Names:
...

APT1 is also known as Comment Crew or Comment Group. These names have been attributed to the group by various cybersecurity organizations and researchers. 📝👥

Location:
...

The group is believed to be based in China. 🇨🇳

First Seen:
...

APT1 has been active for several years, but their activities gained significant attention in 2013 following a detailed report by Mandiant, a cybersecurity firm. 📆🔍

Observed:
...

APT1 has targeted a broad range of corporations and government entities around the world, with a particular focus on English-speaking countries. Their targets span various industries, including information technology, telecommunications, aerospace, public administration, and others. 🎯🌐🚀📡

Techniques and Software Used by APT1
...

Techniques Used by APT1:
...

  • Account Discovery (T1087.001): APT1 used commands like net localgroup, net user, and net group to find accounts on the system.
  • Acquire Infrastructure: Domains (T1583.001): They registered hundreds of domains for use in operations.
  • Archive Collected Data: Archive via Utility (T1560.001): APT1 used RAR to compress files before moving them outside of the victim network.
  • Automated Collection (T1119): They employed a batch script to perform discovery techniques and save results to a text file.
  • Command and Scripting Interpreter: Windows Command Shell (T1059.003): The group used the Windows command shell for command execution and batch scripting for automation.
  • Compromise Infrastructure: Domains (T1584.001): APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.
  • Data from Local System (T1005): They collected files from local victim systems.
  • Email Collection (T1114.001 and T1114.002): APT1 used GETMAIL and MAPIGET utilities to steal emails from Outlook .pst files and Exchange servers.
  • Establish Accounts: Email Accounts (T1585.002): They created email accounts for social engineering, phishing, and domain registration.
  • Masquerading: Match Legitimate Name or Location (T1036.005): Malware was named after legitimate processes like AcroRD32.exe to evade detection.
  • Network Share Discovery (T1135): APT1 listed connected network shares.
  • Obtain Capabilities: Malware and Tool (T1588.001 and T1588.002): They used publicly available malware and open-source tools for privilege escalation.
  • OS Credential Dumping: LSASS Memory (T1003.001): APT1 used Mimikatz for credential dumping.
  • Phishing: Spearphishing Attachment and Link (T1566.001 and T1566.002): They conducted spearphishing campaigns with malicious attachments and links.
  • Process Discovery (T1057): APT1 gathered a list of running processes using tasklist /v.
  • Remote Services: Remote Desktop Protocol (T1021.001): They used RDP during operations.
  • System Network Configuration Discovery (T1016): APT1 used ipconfig /all to gather network configuration information.
  • System Network Connections Discovery (T1049): They used net use to get a listing of network connections.
  • System Service Discovery (T1007): APT1 used net start and tasklist to list services on the system.
  • Use Alternate Authentication Material: Pass the Hash (T1550.002): They used pass the hash techniques.

    Software Used by APT1:

  • BISCUIT: Used for command execution, screen capture, keylogging, and other functions.
  • Cachedump: For dumping cached domain credentials.
  • CALENDAR: Employed for bidirectional communication.
  • GLOOXMAIL: Used for web-based bidirectional communication.
  • gsecdump: For dumping SAM and LSA secrets.
  • ipconfig: To discover network configuration.
  • Lslsass: For dumping LSASS memory.
  • Mimikatz: A versatile tool for credential dumping and manipulation.
  • Net: Used for account discovery, network share discovery, and more.
  • Pass-The-Hash Toolkit: Employed for pass the hash attacks.
  • PoisonIvy: A RAT used for data exfiltration and command execution.
  • PsExec: For lateral movement and remote service execution.
  • pwdump: For dumping SAM credentials.
  • Seasalt: Used for web protocol communication and other functions.
  • Tasklist: For process and service discovery.
  • WEBC2: Employed for command execution and data transfer.
  • xCmd: Used for service execution.

In summary, APT1 utilized a wide array of techniques and software tools, ranging from basic command-line utilities to sophisticated malware and credential dumping tools. Their operations demonstrate a high level of sophistication and a broad capability to infiltrate, explore, and exfiltrate data from targeted systems.

APT12 (IXESHE, Numbered Panda, Group 22) 🇨🇳
...

Description
...

APT12, also known as IXESHE, Numbered Panda, and Group 22, is a threat actor primarily targeting organizations in Japan, Taiwan, and other parts of East Asia. Their activities mainly focus on espionage and have been directed towards electronics manufacturers and telecommunications companies. 🏢🌏📡💼

Motivation
...

The primary motivation of APT12 is espionage. They have been involved in extensive cyber espionage campaigns, targeting sensitive information from various organizations. 🕵️‍♂️💻🔍

Names
...

APT12 is known by several aliases:

  • IXESHE
  • Numbered Panda
  • Group 22
  • BeeBus
  • DynCalc
  • Calc Team
  • DNSCalc
  • Crimson Iron
  • BRONZE GLOBE

Location
...

APT12 is believed to be based in China. 🇨🇳

First Seen
...

The group has been active for several years, with notable activities traced back to at least 2013. 📆🔍

Observed Activities
...

APT12 has conducted numerous spear-phishing attacks and has been associated with various malware families, including:

  • win.etumbot
  • win.rapid_stealer
  • win.threebyte
  • win.waterspout 💻📤📊🔐

APT12 (IXESHE, Numbered Panda, Group 22) Techniques and Software
...

Techniques Used
...

  • Dynamic Resolution: DNS Calculation (T1568.003)
    • APT12 has employed DNS Calculation techniques, manipulating IP address octets to determine command and control (C2) port numbers.
  • Exploitation for Client Execution (T1203)
    • The group exploited various vulnerabilities in Microsoft Office (CVE-2009-3129, CVE-2012-0158), Adobe Reader, and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611) for execution.
  • Phishing: Spearphishing Attachment (T1566.001)
    • APT12 sent emails with malicious attachments, including Microsoft Office documents and PDFs, as part of spearphishing campaigns.
  • User Execution: Malicious File (T1204.002)
    • They attempted to trick victims into opening malicious Microsoft Word and PDF attachments sent via spearphishing.
  • Web Service: Bidirectional Communication (T1102.002)
    • The group used blogs and WordPress platforms for their C2 infrastructure.

      Software Used

  • HTRAN (S0040)
    • Techniques: Process Injection, Proxy, Rootkit.
    • HTRAN is used to obscure the location of their C2 servers.
  • Ixeshe (S0015)
    • Techniques: Various, including Application Layer Protocol: Web Protocols, Data Encoding, File and Directory Discovery, Indicator Removal, and System Information Discovery.
    • Ixeshe is a malware family associated with APT12, known for its versatility and capability to perform a wide range of functions.
  • RIPTIDE (S0003)
    • Techniques: Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography.
    • RIPTIDE is another malware tool used by APT12, known for its encrypted communication capabilities.

APT12's use of diverse techniques and sophisticated software highlights their capability to conduct complex cyber espionage operations. Their methods include exploiting software vulnerabilities, spearphishing, and utilizing advanced malware, all aimed at infiltrating target networks and exfiltrating sensitive information.

APT16: Overview and Activities
...

Description
...

APT16 is a China-based threat group known for spearphishing campaigns targeting organizations primarily in Japan and Taiwan. The group's activities focus on government, financial services, media, and high technology industry sectors. APT16 is believed to be closely aligned with Chinese nation-state activities.

Motivation
...

The primary motivation of APT16 appears to be espionage, gathering intelligence from targeted sectors and organizations that align with the interests of the Chinese state.

Names: -
...

Location
...

APT16 is based in China.

First Seen: -
...

Observed Activities
...

APT16 has been responsible for:

  • Spear phishing attacks.
  • Using compromised legitimate sites as staging servers for second-stage payloads.
  • Delivering malware-laden Microsoft Word documents exploiting vulnerabilities like CVE-2015-1701.

    APT16: Techniques and Software Used

    Techniques Used by APT16

  • Compromise Infrastructure: Server (Enterprise T1584.004)
    • Use: APT16 has demonstrated the capability to compromise legitimate websites, using them as staging servers for hosting their second-stage payloads. This technique involves breaching the security of a web server and then using it to store and distribute malware or other malicious tools. By leveraging legitimate infrastructure, APT16 can evade detection and increase the success rate of their attacks.

      Software Used by APT16

  • ELMER Backdoor (Software ID: S0064)
    • Techniques:
      • Application Layer Protocol: Web Protocols: ELMER uses standard web protocols for communication, which helps it blend in with normal traffic and avoid detection.
      • File and Directory Discovery: The backdoor is capable of searching through files and directories on the compromised system, allowing APT16 to locate and exfiltrate sensitive information.
      • Process Discovery: ELMER can enumerate running processes on the infected system, providing insights into the operational environment and potentially identifying security tools that need to be evaded or disabled.

        Summary

        APT16, a group with suspected ties to China, employs sophisticated techniques and custom software to conduct espionage-focused cyber operations. Their use of compromised legitimate websites for staging attacks highlights their ability to adapt and mask their activities within normal network traffic. The ELMER backdoor, a key tool in their arsenal, provides them with capabilities essential for reconnaissance and data exfiltration within targeted networks.

APT17 Overview
...

Description
...

APT17, also known as Deputy Dog and Axiom, is a Chinese-based threat actor group. It is sponsored by the Chinese Ministry of State Security and has conducted malicious attacks against government and industry within the United States. APT17 targets various industry sectors, including mining, legal, information technology, and the defense industry. The group is known for using sophisticated techniques, including leveraging Microsoft’s TechNet blog for command-and-control operations by creating bogus profiles and posting encoded CNC within technical forums. This method, known as "hiding in plain sight," helps obfuscate their identity and makes detection less likely.

Motivation
...

APT17 primarily engages in espionage activities. They target U.S. government entities, the defense industrial base, law firms, information technology companies, resource extraction companies, and non-governmental organizations. Their operations are believed to be carried out on-demand for the Jinan bureau of the Chinese Ministry of State Security.

Names
...

  • APT17
  • Deputy Dog
  • Axiom

    Location

    The group is believed to be operating out of China, specifically as contractors for the Jinan bureau of the Chinese Ministry of State Security.

    First Seen: -

    Observed

    APT17 has been observed targeting a wide range of sectors in the United States, focusing on espionage.

APT17 Techniques and Software Used
...

Techniques Used by APT17
...

  • Acquire Infrastructure: Web Services (T1583.006)
    • Usage: APT17 created profile pages on Microsoft TechNet, which were utilized as command-and-control (C2) infrastructure. This innovative approach allowed them to hide their C2 communications in plain sight, blending in with legitimate traffic and making detection more challenging.
  • Establish Accounts (T1585)
    • Usage: The group meticulously crafted and maintained profile pages on Microsoft TechNet. To enhance the credibility of these pages, APT17 added detailed biographical sections and actively participated in forum threads. This activity was part of their strategy to establish a legitimate-looking online presence, which was crucial for their C2 operations and for maintaining a low profile.

      Software Used by APT17

  • BLACKCOFFEE (S0069)
    • Techniques:
      • Command and Scripting Interpreter: Windows Command Shell: BLACKCOFFEE used the Windows Command Shell for executing commands.
      • File and Directory Discovery: The malware could discover files and directories on the infected system.
      • Indicator Removal: File Deletion: BLACKCOFFEE had capabilities to delete files, helping to cover its tracks.
      • Multi-Stage Channels: It utilized multi-stage channels for communication, adding complexity to its operations.
      • Process Discovery: The malware could discover processes running on the system.
      • Web Service: Dead Drop Resolver: BLACKCOFFEE used web services as a means to resolve dead drops.
      • Web Service: Bidirectional Communication: It was capable of bidirectional communication over web services, enhancing its ability to control compromised systems and exfiltrate data.

        Additional Insights

  • APT17's use of Microsoft TechNet for C2 infrastructure is a notable example of their innovative tactics. By embedding encoded command-and-control IP addresses in valid Microsoft TechNet profile pages and forum threads, they effectively masked their malicious activities.
  • The BLACKCOFFEE malware's diverse capabilities, including command execution, file and process discovery, and sophisticated communication methods, highlight APT17's technical proficiency and the advanced nature of their operations.

These techniques and tools reflect APT17's sophisticated approach to cyber espionage, emphasizing stealth and long-term access to targeted networks.

APT18: Overview and Details
...

Description
...

APT18, also known as Dynamite Panda, Threat Group-0416, Wekby, and Scandium, is a Chinese nation-state-aligned threat group. It has been active since approximately 2009 and is believed to be directly supported by the Chinese People’s Liberation Navy. APT18 has targeted a broad mix of industry sectors, including manufacturing, technology, government, healthcare, defense, telecommunications, and human rights groups, primarily focusing on organizations in North America, especially the United States.

Motivation
...

The primary motivation of APT18 appears to be espionage and information theft. They have been involved in medical espionage, exfiltrating patient data from medical device databases, and stealing intellectual property rights, including advanced proprietary designs. Their activities seem to be aimed at advancing China's industries at the expense of U.S. industries.

Names
...

  • Dynamite Panda
  • Threat Group-0416
  • Wekby
  • Scandium

    Location

    APT18 primarily targets organizations in North America, with a specific focus on the United States.

    First Seen

    The group has been active since approximately 2009.

    Observed Activities

    APT18 has been very visible in attacks on the healthcare sector, including a significant data breach in a community health systems campaign, resulting in the theft of over 4.5 million patients' medical data. They have exploited vulnerabilities in various software, including a zero-day vulnerability (CVE-2015-5119), and launched phishing campaigns against multiple industry sectors.

APT18 Techniques and Software Used
...

Techniques Used by APT18
...

  • Application Layer Protocol: Web Protocols (T1071.001): APT18 uses HTTP for command and control (C2) communications.
  • Application Layer Protocol: DNS (T1071.004): They also utilize DNS for C2 communications.
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.
  • Command and Scripting Interpreter: Windows Command Shell (T1059.003): They use cmd.exe to execute commands on the victim’s machine.
  • External Remote Services (T1133): APT18 leverages legitimate credentials to log into external remote services.
  • File and Directory Discovery (T1083): They can list file information for specific directories.
  • Indicator Removal: File Deletion (T1070.004): APT18 deletes tools and batch files from victim systems.
  • Ingress Tool Transfer (T1105): They can upload files to the victim’s machine.
  • Obfuscated Files or Information (T1027): APT18 obfuscates strings in their payloads.
  • Scheduled Task/Job: At (T1053.002): They use the native at Windows task scheduler tool for execution on victim networks.
  • System Information Discovery (T1082): APT18 collects system information from the victim’s machine.
  • Valid Accounts (T1078): They leverage legitimate credentials for logging into external remote services.

    Software Used by APT18

  • cmd (S0106): Used for command execution, file and directory discovery, file deletion, and system information discovery.
  • gh0st RAT (S0032): A remote access trojan used for a variety of purposes including keylogging, screen capture, and process discovery.
  • hcdLoader (S0071): Utilized for creating or modifying system processes.
  • HTTPBrowser (S0070): A tool for DNS and web protocol communication, file and directory discovery, and obfuscating files.
  • Pisloader (S0124): Used for DNS communication, file and directory discovery, and system information discovery.

APT18's techniques and software reflect a sophisticated approach to cyber espionage, leveraging a mix of custom tools and common administrative tools to maintain stealth and effectiveness in their operations.

APT19: 

Description
...

APT19, also known as Deep Panda, KungFu Kittens, and PinkPanther, is a cyber espionage group believed to be operating out of China. The group is known for its sophisticated cyber attacks targeting a variety of sectors, including government, defense, financial, and telecommunications.

Motivation
...

APT19's primary motivation appears to be intelligence gathering and espionage, often targeting information that aligns with the Chinese government's interests. This includes sensitive political, economic, and military information.

Names
...

  • Deep Panda
  • KungFu Kittens
  • PinkPanther

    Location

    APT19 is believed to be based in China.

    First Seen:-

    Observed

    APT19 has been observed conducting cyber espionage campaigns against a range of targets, including government entities, defense contractors, and financial institutions.

    APT19: Techniques and Software Used

    Techniques Used by APT19

  • Application Layer Protocol: Web Protocols (T1071.001): APT19 used HTTP for command and control (C2) communications and an HTTP malware variant for this purpose.
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): They established persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%.
  • Command and Scripting Interpreter (T1059): APT19 downloaded and launched code within SCT files.
  • PowerShell (T1059.001): They used PowerShell commands to execute payloads.
  • Create or Modify System Process: Windows Service (T1543.003): An APT19 Port 22 malware variant registers itself as a service.
  • Data Encoding: Standard Encoding (T1132.001): An HTTP malware variant used Base64 to encode communications to the C2 server.
  • Deobfuscate/Decode Files or Information (T1140): The HTTP malware variant decrypts strings using single-byte XOR keys.
  • Drive-by Compromise (T1189): APT19 performed a watering hole attack on forbes.com in 2014.
  • Hide Artifacts: Hidden Window (T1564.003): They used -W Hidden to conceal PowerShell windows.
  • Hijack Execution Flow: DLL Side-Loading (T1574.002): They launched malware variants using legitimate executables that loaded malicious DLLs.
  • Modify Registry (T1112): A Port 22 malware variant was used to modify several Registry keys.
  • Obfuscated Files or Information (T1027): Base64 was used to obfuscate payloads and executed commands.
  • Obtain Capabilities: Tool (T1588.002): APT19 obtained and used publicly-available tools like Empire.
  • Phishing: Spearphishing Attachment (T1566.001): They sent spearphishing emails with malicious RTF and XLSM attachments.
  • System Binary Proxy Execution: Regsvr32 (T1218.010) and Rundll32 (T1218.011): APT19 used these techniques for payload injection and to bypass application control techniques.
  • System Information Discovery (T1082): They collected system architecture information using malware variants.
  • System Network Configuration Discovery (T1016): The malware variants were used to collect MAC and IP addresses.
  • System Owner/User Discovery (T1033): They used malware variants to collect the victim’s username.
  • User Execution: Malicious File (T1204.002): APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.

    Software Used by APT19

  • Cobalt Strike (S0154): A tool used for exploitation and post-exploitation tasks in victim networks. It includes capabilities like command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, and more.
  • Empire (S0363): A post-exploitation framework that provides a range of tools for system penetration, including PowerShell and Python capabilities, lateral movement, and various exploitation techniques.

APT19's operations demonstrate a high level of sophistication and a focus on stealth and persistence. Their use of a variety of techniques and software tools underscores their capability to conduct advanced cyber espionage campaigns.

APT28 (Fancy Bear)
...

Description
...

APT28, also known as Fancy Bear, is a sophisticated and well-resourced cyber espionage group. It is believed to be associated with the Russian military intelligence agency GRU. This group has been active since at least the mid-2000s and is known for its advanced cyber capabilities.

Motivation
...

APT28 primarily focuses on collecting intelligence in support of Russian political and military interests. The group has been involved in numerous high-profile cyber espionage campaigns, targeting government, military, security organizations, and other entities perceived as threats or of interest to the Russian government.

Names
...

  • Fancy Bear
  • Sofacy
  • Sednit
  • STRONTIUM
  • Pawn Storm

    Location

    APT28 is believed to be based in Russia.

    First Seen

    The group has been active since at least the mid-2000s.

    Observed

    APT28 has been observed targeting a wide range of entities, including government and military organizations, security firms, media outlets, and political figures, particularly in countries that are geopolitically significant to Russia.

    Techniques and Software Used by APT28 (Fancy Bear)

    APT28, a highly sophisticated cyber espionage group, employs a wide array of techniques and software tools in its operations. Below is a detailed overview of some key techniques and software they have used:

    Techniques

  • Access Token Manipulation (T1134.001): APT28 exploited CVE-2015-1701 to access and copy the SYSTEM token for privilege escalation.
  • Account Manipulation (T1098.002): They used PowerShell cmdlets to grant additional permissions to compromised accounts.
  • Acquire Infrastructure (T1583): The group registered domains imitating various organizations and used Blogspot pages for credential harvesting.
  • Active Scanning (T1595.002): APT28 performed large-scale scans to find vulnerable servers.
  • Application Layer Protocol (T1071): They used protocols like HTTP, HTTPS, IMAP, POP3, and SMTP for communication in various implants.
  • Archive Collected Data (T1560): APT28 used tools like WinRAR to archive and password-protect collected data.
  • Boot or Logon Autostart Execution (T1547.001): They deployed malware that copied itself to the startup directory for persistence.
  • Brute Force (T1110): APT28 performed brute force and password spraying attacks to obtain credentials.
  • Command and Scripting Interpreter (T1059): The group used PowerShell scripts and Windows Command Shell for executing payloads.
  • Data from Information Repositories (T1213): They collected files from Microsoft SharePoint services within target networks.
  • Exploitation for Privilege Escalation (T1068): APT28 exploited various vulnerabilities like CVE-2014-4076 and CVE-2015-1701 for escalating privileges.
  • Obfuscated Files or Information (T1027): The group encrypted and obfuscated payloads to avoid detection.
  • Phishing (T1566): APT28 used spearphishing with malicious attachments or links to compromise targets.
  • Remote Services (T1021.002): They used SMB/Windows Admin Shares for remote operations.
  • System Binary Proxy Execution (T1218.011): APT28 executed payloads using commands like rundll32.

    Software

  • ADVSTORESHELL (S0045): A multifunctional toolkit used for various purposes including data staging and encrypted communication.
  • Cannon (S0351): A tool used for tasks like screen capture and file discovery.
  • CHOPSTICK (S0023): A sophisticated backdoor used for keylogging, screen capture, and proxying.
  • CORESHELL (S0137): A backdoor used for encrypted communication and data encoding.
  • Drovorub (S0502): A Linux-based malware used for data exfiltration and rootkit capabilities.
  • JHUHUGIT (S0044): A backdoor used for clipboard data capture, screen capture, and process injection.
  • Koadic (S0250): An advanced RAT (Remote Access Trojan) used for credential dumping and command execution.
  • Mimikatz (S0002): A well-known tool used for credential dumping and pass-the-hash attacks.
  • XTunnel (S0117): A network tunneling tool used for encrypted communication and proxying.
  • Zebrocy (S0251): A malware toolkit used for data collection, screen capture, and network discovery.

APT28's arsenal of techniques and software demonstrates their capability to conduct sophisticated cyber espionage operations. Their methods range from exploiting system vulnerabilities to sophisticated social engineering attacks, underlining the need for robust cybersecurity measures.

Description of APT3:
...

APT3, also known as UPS Team, Buckeye, Gothic Panda, and TG-0110, is a sophisticated cyber espionage group believed to be based in China. This group has been active since at least 2009 and is known for its advanced persistent threats (APT) targeting a variety of sectors worldwide, including government, defense, technology, and telecommunications.

Motivation:
...

APT3's primary motivation appears to be espionage, likely driven by national and economic interests. Their activities suggest an intent to gather intelligence and potentially steal intellectual property or sensitive government and military information.

Names:
...

APT3 is known by various aliases, including UPS Team, Buckeye, Gothic Panda, and TG-0110. These names have been attributed to the group by different cybersecurity organizations and researchers.

Location:
...

APT3 is believed to be operating out of China.

First Seen:
...

APT3 has been active since at least 2009.

Observed:
...

APT3 has targeted a wide range of sectors, including government, defense, technology, and telecommunications, with a global focus. Their operations have been observed in multiple countries, indicating a broad and diverse set of targets.

APT3: Techniques and Software

Below is a detailed overview of the techniques and software used by APT3:

Techniques Used by APT3:
...

  • Account Discovery (T1087.001): APT3 uses tools to gather information about local and global group users, power users, and administrators.
  • Account Manipulation (T1098): The group adds created accounts to local admin groups to maintain elevated access.
  • Archive Collected Data (T1560.001): APT3 compresses data before exfiltrating it.
  • Boot or Logon Autostart Execution (T1547.001): Scripts are placed in the startup folder for persistence.
  • Brute Force: Password Cracking (T1110.002): The group is known to brute force password hashes.
  • Command and Scripting Interpreter (T1059): APT3 uses PowerShell and Windows Command Shell for various malicious activities.
  • Create Account: Local Account (T1136.001): Known for creating or enabling accounts for access.
  • Create or Modify System Process (T1543.003): The group creates new services for persistence.
  • Credentials from Password Stores (T1555.003): APT3 dumps passwords from browsers.
  • Data from Local System (T1005): Identifies Microsoft Office documents for exfiltration.
  • Data Staged: Local Data Staging (T1074.001): Stages files for exfiltration in a single location.
  • Event Triggered Execution (T1546.008): Replaces accessibility features binaries for persistence.
  • Exfiltration Over C2 Channel (T1041): Uses tools that exfiltrate data over the C2 channel.
  • Exploitation for Client Execution (T1203): Exploits vulnerabilities in Adobe Flash Player and Internet Explorer.
  • File and Directory Discovery (T1083): Looks for files and directories on the local file system.
  • Hide Artifacts: Hidden Window (T1564.003): Conceals PowerShell windows.
  • Hijack Execution Flow: DLL Side-Loading (T1574.002): Known to side-load DLLs.
  • Indicator Removal: File Deletion (T1070.004): Deletes files to remove traces.
  • Ingress Tool Transfer (T1105): Copies files to remote machines.
  • Input Capture: Keylogging (T1056.001): Records keystrokes in encrypted files.
  • Multi-Stage Channels (T1104): Establishes SOCKS5 connections for C2.
  • Non-Application Layer Protocol (T1095): Uses SOCKS5 for initial C2.
  • Obfuscated Files or Information (T1027): Obfuscates files to evade detection.
  • OS Credential Dumping (T1003.001): Dumps credentials from LSASS memory.
  • Permission Groups Discovery (T1069): Enumerates permissions of Windows groups.
  • Phishing: Spearphishing Link (T1566.002): Sends spearphishing emails with malicious links.
  • Process Discovery (T1057): Lists currently running processes.
  • Proxy: External Proxy (T1090.002): Establishes external proxy connections.
  • Remote Services (T1021): Enables and uses Remote Desktop Protocol and SMB/Windows Admin Shares.
  • Remote System Discovery (T1018): Detects the existence of remote systems.
  • Scheduled Task/Job: Scheduled Task (T1053.005): Creates scheduled tasks for persistence.
  • System Binary Proxy Execution: Rundll32 (T1218.011): Runs DLLs for execution.
  • System Information Discovery (T1082): Gathers information about the local system.
  • System Network Configuration Discovery (T1016): Gathers network information.
  • System Network Connections Discovery (T1049): Enumerates current network connections.
  • System Owner/User Discovery (T1033): Determines the system owner or user.
  • Unsecured Credentials: Credentials In Files (T1552.001): Locates credentials in files.
  • User Execution: Malicious Link (T1204.001): Lures victims into clicking malicious links.
  • Valid Accounts: Domain Accounts (T1078.002): Leverages valid accounts for domain access.

    Software Used by APT3:

  • LaZagne (S0349): Used for various credential dumping techniques.
  • OSInfo (S0165): A tool for account discovery, system information discovery, and more.
  • PlugX (S0013): A multifunctional tool used for command execution, data exfiltration, and more.
  • RemoteCMD (S0166): Facilitates remote command execution.
  • schtasks (S0111): Used for creating scheduled tasks.
  • SHOTPUT (S0063): A custom backdoor used for account discovery and other functions.

In summary, APT3 is a highly sophisticated group employing a wide range of techniques and custom software to conduct espionage and cyber operations. Their tactics demonstrate advanced capabilities in maintaining persistence, evading detection, and extracting sensitive information.

Description of APT 30 (Override Panda)
...

APT 30, also known as Override Panda, is a cyber espionage group suspected to be associated with the Chinese government. This group has been active since at least 2005 and is known for its decade-long operation focused predominantly on entities in Southeast Asia and India. APT 30 is notable for its sustained activity and regional focus, as well as its success in espionage despite maintaining relatively consistent tools, tactics, and infrastructure over a long period.

Motivation
...

The primary objective of APT 30 appears to be data theft, particularly targeting government and commercial entities holding key political, economic, and military information about the region. Unlike many cyber threat groups, APT 30 does not seem to be motivated by financial gain, as they have not been observed targeting data that can be readily monetized, such as credit card data or bank transfer credentials. Instead, their tools are designed to identify and steal documents, showing an interest in documents that may be stored on air-gapped networks.

Names
...

APT 30 is also known as Override Panda. The group has been identified under different names by various cybersecurity organizations.

Location
...

APT 30 is suspected to be associated with the Chinese government, indicating that their operations are likely based in China.

First Seen
...

APT 30 has been active since at least 2005, engaging in cyber espionage activities for over a decade.

Observed Activities
...

APT 30 has shown a distinct interest in organizations and governments associated with the Association of Southeast Asian Nations (ASEAN), especially around the time of official ASEAN meetings. Their decoy documents often relate to Southeast Asia, India, border areas, and broader security and diplomatic issues. In addition to their focus on Southeast Asia and India, APT 30 has also targeted journalists reporting on issues considered focal points for the Chinese Communist Party, such as corruption, the economy, and human rights.

Techniques Used by APT 30
...

  • Phishing: Spearphishing Attachment (T1566.001): APT30 has utilized spearphishing emails with malicious DOC attachments. This technique involves sending targeted emails that contain malicious attachments to trick recipients into opening them, thereby compromising their systems.
  • User Execution: Malicious File (T1204.002): The group relies on users executing malicious file attachments delivered via spearphishing emails. This tactic depends on user interaction to initiate the execution of the malicious payload.

    Software Tools Used by APT 30

  • BACKSPACE (S0031):
    • Techniques: Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Shortcut Modification), Command and Scripting Interpreter (Windows Command Shell), Data Encoding (Non-Standard Encoding), Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses (Disable or Modify System Firewall), Modify Registry, Multi-Stage Channels, Process Discovery, Proxy (Internal Proxy), Query Registry, System Information Discovery.
    • Usage: BACKSPACE is a multifunctional tool used for various purposes, including communication over web protocols, data encoding, and exfiltration.
  • FLASHFLOOD (S0036):
    • Techniques: Archive Collected Data (Archive via Custom Method), Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder), Data from Local System, Data from Removable Media, Data Staged (Local Data Staging), File and Directory Discovery.
    • Usage: FLASHFLOOD is employed for data collection and staging, including archiving data using custom methods and extracting data from local and removable media.
  • NETEAGLE (S0034):
    • Techniques: Application Layer Protocol, Web Protocols, Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder), Command and Scripting Interpreter (Windows Command Shell), Dynamic Resolution, Encrypted Channel (Symmetric Cryptography), Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Non-Application Layer Protocol, Process Discovery.
    • Usage: NETEAGLE is a sophisticated tool used for encrypted communication, dynamic resolution, and data exfiltration.
  • SHIPSHAPE (S0028):
    • Techniques: Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Shortcut Modification), Replication Through Removable Media.
    • Usage: SHIPSHAPE is used for persistence and replication, particularly through the use of removable media.
  • SPACESHIP (S0035):
    • Techniques: Archive Collected Data (Archive via Custom Method), Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Shortcut Modification), Data Staged (Local Data Staging), Exfiltration Over Physical Medium (Exfiltration over USB), File and Directory Discovery.
    • Usage: SPACESHIP focuses on data archiving, staging, and exfiltration, particularly over physical mediums like USB.

These techniques and tools demonstrate APT 30's capabilities in conducting targeted cyber espionage operations, particularly focused on information gathering, document theft, and exploiting user interactions to compromise systems.

Description of APT32
...

APT32, also known as the OceanLotus Group, is a Vietnam-based threat group. It was founded in 2014 and has primarily targeted journalists, dissidents, large private enterprises, and government organizations in Southeast Asia. The group's activities have been concentrated within Vietnam, the Philippines, Cambodia, and Laos. APT32's operations often align with Vietnamese state interests, raising questions about potential nation-state sponsorship.

Motivation
...

APT32's motivations appear to be closely aligned with Vietnamese state interests. They have targeted foreign corporations in key commercial sectors such as manufacturing, hospitality, and consumer products, which are significant to Vietnam's economy. Additionally, they have targeted network security and technology corporations, as well as dissidents and journalists, indicating a focus on both economic and political espionage.

Names
...

APT32 is also known as the OceanLotus Group.

Location
...

APT32 is based in Vietnam.

First Seen
...

APT32 was first identified in 2014.

Observed Activities
...

APT32 has been involved in various cyber espionage activities, including:

  • Targeting and compromising a European corporation involved in building manufacturing facilities in Vietnam (2014).
  • Compromising Vietnamese and foreign corporations in network security, technology infrastructure, media, and banking (2016).
  • Targeting a large hospitality industry company expanding operations into Vietnam (2016).
  • Targeting U.S. and Philippine consumer products corporations with operations in Vietnam for spyware and data exfiltration activities.
  • Conducting spyware attacks on Vietnam-based and non-profit human rights organizations.

    Techniques Used by APT32

  • Account Discovery: Local Account (T1087.001): APT32 used commands like net localgroup administrators to enumerate administrative users.
  • Acquire Infrastructure: Domains (T1583.001) and Web Services (T1583.006): APT32 set up websites for information gathering and malware delivery, and used services like Dropbox, Amazon S3, and Google Drive for hosting malicious downloads.
  • Application Layer Protocol (T1071): They used JavaScript for communication over HTTP/HTTPS to attacker-controlled domains and downloaded encrypted payloads.
  • Archive Collected Data (T1560): APT32's backdoor utilized LZMA compression and RC4 encryption before data exfiltration.
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): They established persistence using Registry Run keys for executing scripts and their backdoor.
  • Command and Scripting Interpreter (T1059): APT32 used various scripting methods including PowerShell, cmd.exe, Visual Basic, and JavaScript for execution and C2 communications.
  • Create or Modify System Process: Windows Service (T1543.003): They modified Windows Services for loading scripts and establishing persistence.
  • Drive-by Compromise (T1189): Victims were infected by visiting compromised websites.
  • Exploitation for Client Execution (T1203) and Privilege Escalation (T1068): APT32 exploited vulnerabilities like CVE-2017-11882 and CVE-2016-7255.
  • File and Directory Discovery (T1083): Their backdoor could list files and directories on infected machines.
  • Gather Victim Identity Information (T1589): APT32 targeted activists and bloggers for surveillance.
  • Hide Artifacts (T1564): They used various methods to hide their activities, including hidden files, windows, and NTFS file attributes.
  • Hijack Execution Flow: DLL Side-Loading (T1574.002): APT32 used legitimately-signed executables to load malicious DLLs.
  • Indicator Removal (T1070): They cleared event logs, deleted files, and used timestomping to hide their tracks.
  • Ingress Tool Transfer (T1105): APT32 added JavaScript to websites for downloading additional frameworks.
  • Input Capture: Keylogging (T1056.001): They monitored and captured account password changes.
  • Lateral Tool Transfer (T1570): Tools were deployed using administrative accounts after moving laterally.
  • Masquerading (T1036): APT32 disguised their tools and activities, including renaming utilities and using hidden characters.
  • Modify Registry (T1112): Their backdoor modified the Windows Registry for storing configuration.
  • Network Service Discovery (T1046) and Network Share Discovery (T1135): APT32 performed network scanning and discovered network shares.
  • Non-Standard Port (T1571): Their backdoor used HTTP over non-standard TCP ports.
  • Obfuscated Files or Information (T1027): APT32 used various obfuscation techniques including Base64 encoding and code obfuscation frameworks.
  • Obtain Capabilities: Tool (T1588.002): They obtained and used tools like Mimikatz and Cobalt Strike.
  • Office Application Startup (T1137): APT32 replaced Microsoft Outlook's VbaProject.OTM file for installing a backdoor.
  • OS Credential Dumping (T1003): They used tools like Mimikatz for harvesting credentials.
  • Phishing: Spearphishing Attachment (T1566.001) and Link (T1566.002): APT32 sent spearphishing emails with malicious attachments and links.
  • Process Injection (T1055): Their malware injected a Cobalt Strike beacon into Rundll32.exe.
  • Query Registry (T1012): The backdoor queried the Windows Registry for system information.
  • Remote Services: SMB/Windows Admin Shares (T1021.002): APT32 used hidden network shares for copying tools to remote machines.
  • Remote System Discovery (T1018): They enumerated domain controllers and used the ping command for discovery.
  • Scheduled Task/Job: Scheduled Task (T1053.005): APT32 used scheduled tasks for persistence.
  • Server Software Component: Web Shell (T1505.003): They used Web shells for maintaining access to victim websites.
  • Software Deployment Tools (T1072): APT32 compromised software deployment tools for lateral movement.
  • Stage Capabilities (T1608): They hosted malicious payloads in cloud storage services.
  • System Binary Proxy Execution (T1218): APT32 used various system binaries like mshta.exe and regsvr32.exe for execution.
  • System Information Discovery (T1082): They collected information about the OS version, computer name, and other system details.
  • System Network Configuration Discovery (T1016): APT32 used the ipconfig command for gathering IP addresses.
  • System Network Connections Discovery (T1049): They used netstat to display TCP connections.
  • System Owner/User Discovery (T1033): APT32 collected usernames and executed the whoami command.
  • System Script Proxy Execution: PubPrn (T1216.001): They used PubPrn.vbs within execution scripts.
  • System Services: Service Execution (T1569.002): Their backdoor used Windows services for executing payloads.
  • Unsecured Credentials: Credentials in Registry (T1552.002): APT32 harvested credentials stored in the Windows registry.
  • Use Alternate Authentication Material: Pass the Hash (T1550.002) and Pass the Ticket (T1550.003): They used techniques like pass the hash and pass the ticket for lateral movement.
  • User Execution: Malicious Link (T1204.001) and File (T1204.002): APT32 lured targets to download malicious payloads through spearphishing.
  • Valid Accounts: Local Accounts (T1078.003): They used legitimate local admin account credentials.
  • Web Service (T1102): APT32 used cloud storage services for hosting malicious downloads.
  • Windows Management Instrumentation (T1047): They used WMI for deploying tools and gathering information.

    Software Used by APT32

  • Arp (S0099): Used for remote system discovery and network configuration discovery.
  • Cobalt Strike (S0154): A versatile tool used for a wide range of activities including command execution, data exfiltration, and credential dumping.
  • Denis (S0354): Used for various purposes including command execution, data encoding, and obfuscation.
  • Goopy (S0477): Employed for DNS communication, data exfiltration, and DLL side-loading.
  • ipconfig (S0100): Used for system network configuration discovery.
  • Kerrdown (S0585): Utilized for command execution, data obfuscation, and phishing.
  • KOMPROGO (S0156): Used for command execution and system information discovery.
  • Mimikatz (S0002): A well-known tool for credential dumping and manipulation.
  • Net (S0039): Used for account discovery, remote services, and system discovery.
  • netsh (S0108): Employed for event-triggered execution and impairing defenses.
  • OSX_OCEANLOTUS.D (S0352): A macOS backdoor used for data exfiltration and system process modification.
  • PHOREAL (S0158): Used for command execution and registry modification.
  • RotaJakiro (S1078): A tool for automated collection and boot or logon autostart execution.
  • SOUNDBITE (S0157): Employed for DNS communication and system information discovery.
  • WINDSHIELD (S0155): Used for indicator removal, query registry, and system information discovery.

APT32's use of a wide range of sophisticated techniques and software demonstrates their capability to conduct complex cyber espionage operations. Their methods are diverse, covering everything from initial access and persistence to data exfiltration and covering their tracks.

APT33: Overview and Activities
...

Description:

APT33, a cyber espionage group, is known for its sophisticated cyber operations targeting a variety of sectors. Their activities primarily focus on espionage and data exfiltration, often targeting organizations in the aviation, energy, and government sectors. APT33 is recognized for its advanced techniques and persistent approach in cyber operations.

Motivation:

The primary motivation of APT33 appears to be espionage, with a strong focus on gathering sensitive information and intellectual property from targeted industries and government entities. Their activities suggest an intent to support national strategic objectives, likely for a state-sponsored purpose.

Names:

APT33 is also known by other monikers such as Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064, ATK35. These aliases have been used by various cybersecurity organizations to describe the group's activities and operations.

Location:

APT33 is believed to be operating out of Iran.

First Seen:

The group has been active since at least 2013, engaging in numerous sophisticated cyber espionage campaigns.

Observed Activities:

APT33 has been observed targeting a wide range of sectors, including but not limited to aviation, energy, and government organizations. Their activities have been primarily focused on espionage and intellectual property theft.

APT33 Techniques and Software

Techniques Used by APT33
...

  • Application Layer Protocol: Web Protocols (T1071.001): APT33 used HTTP for command and control.
  • Archive Collected Data: Archive via Utility (T1560.001): Utilized WinRAR to compress data before exfiltration.
  • Boot or Logon Autostart Execution (T1547.001): Deployed DarkComet to the Startup folder and used Registry run keys for persistence.
  • Brute Force: Password Spraying (T1110.003): Employed password spraying to access target systems.
  • Command and Scripting Interpreter: PowerShell (T1059.001): Used PowerShell for downloading files and running scripts from the C2 server.
  • Command and Scripting Interpreter: Visual Basic (T1059.005): Initiated payload delivery using VBScript.
  • Credentials from Password Stores (T1555): Harvested credentials using tools like LaZagne.
  • Data Encoding: Standard Encoding (T1132.001): Encoded command and control traffic using base64.
  • Encrypted Channel: Symmetric Cryptography (T1573.001): Utilized AES encryption for command and control traffic.
  • Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003): Attempted to establish persistence using WMI event subscriptions.
  • Exfiltration Over Alternative Protocol (T1048.003): Exfiltrated files using FTP, separate from the C2 channel.
  • Exploitation for Client Execution (T1203): Exploited vulnerabilities in WinRAR and attempted remote code execution via security bypass.
  • Exploitation for Privilege Escalation (T1068): Used a public exploit for CVE-2017-0213 for local privilege escalation.
  • Ingress Tool Transfer (T1105): Downloaded additional files and programs from the C2 server.
  • Network Sniffing (T1040): Employed SniffPass for credential collection via network traffic sniffing.
  • Non-Standard Port (T1571): Used HTTP over TCP ports 808 and 880 for command and control.
  • Obfuscated Files or Information (T1027): Employed base64 encoding for payload obfuscation.
  • Obtain Capabilities: Tool (T1588.002): Leveraged publicly-available tools for early intrusion activities.
  • OS Credential Dumping (T1003): Utilized tools like LaZagne, Mimikatz, and ProcDump for credential dumping.
  • Phishing: Spearphishing Attachment (T1566.001): Sent spearphishing emails with archive attachments.
  • Phishing: Spearphishing Link (T1566.002): Distributed spearphishing emails containing links to .hta files.
  • Scheduled Task/Job: Scheduled Task (T1053.005): Created scheduled tasks for executing .vbe files.
  • Unsecured Credentials (T1552): Gathered credentials using tools like LaZagne and Gpppassword.
  • User Execution: Malicious Link (T1204.001): Lured users to click malicious links in spearphishing emails.
  • User Execution: Malicious File (T1204.002): Used malicious email attachments to execute malware.
  • Valid Accounts (T1078): Utilized valid accounts for initial access and privilege escalation.
  • Cloud Accounts (T1078.004): Compromised Office 365 accounts in conjunction with Ruler for endpoint control.
  • Screen Capture (ICS T0852): Utilized backdoors for capturing screenshots.
  • Scripting (ICS T0853): Employed PowerShell scripts for command and control and file execution.
  • Spearphishing Attachment (ICS T0865): Conducted targeted spearphishing campaigns with HTML application files embedded with malicious code.

    Software Used by APT33

  • AutoIt backdoor (S0129): Used for various malicious activities including PowerShell execution and data encoding.
  • Empire (S0363): A versatile framework used for a wide range of malicious activities, from account discovery to exfiltration.
  • ftp (S0095): Used for file exfiltration and tool transfer.
  • LaZagne (S0349): Employed for credential harvesting from various sources.
  • Mimikatz (S0002): A well-known tool for dumping credentials and manipulating access tokens.
  • NanoCore (S0336): Used for audio capture, command execution, and credential theft.
  • Net (S0039): Utilized for account discovery and network share access.
  • NETWIRE (S0198): A multi-functional remote access tool used for data collection and system control.
  • PoshC2 (S0378): A PowerShell C2 framework used for a variety of tasks including token manipulation and data exfiltration.
  • PowerSploit (S0194): A collection of PowerShell modules used for various stages of exploitation and post-exploitation.
  • POWERTON (S0371): Utilized for command and control activities and credential dumping.
  • Pupy (S0192): A remote administration and post-exploitation tool.
  • Ruler (S0358): Used in conjunction with compromised email accounts for endpoint control.
  • StoneDrill (S0380): Employed for data destruction and system information discovery.
  • TURNEDUP (S0199): Used for system information discovery and screen capture.

APT33's techniques and software usage demonstrate a sophisticated and versatile approach to cyber espionage, leveraging a mix of custom tools and publicly available utilities to achieve their objectives.

APT37 (Reaper)
...

Description
...

APT37, also known as Reaper, is a cyber espionage group believed to be operating out of North Korea. It has been active since at least 2012, primarily targeting the public and private sectors in South Korea. By 2017, APT37 expanded its operations to include Japan, Vietnam, and the Middle East, focusing on a range of industries such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.

Motivation
...

APT37's activities are primarily driven by espionage objectives, likely in support of North Korean state interests. Their operations are characterized by a focus on gathering intelligence and potentially disrupting targets that are of strategic importance to North Korea.

Names
...

APT37 is known by various aliases including Group 123, InkySquid, Operation Daybreak, Operation Erebus, Reaper Group, Red Eyes, Ricochet Chollima, ScarCruft, Venus 121, ATK4, G0067, and Moldy Pisces.

Location
...

APT37 is believed to be based in North Korea.

First Seen
...

The group has likely been active since at least 2012.

Observed
...

APT37 has expanded its targeting beyond the Korean peninsula since 2017, including Japan, Vietnam, and the Middle East.

Techniques Used by APT37
...

  • Abuse Elevation Control Mechanism (T1548.002): APT37 uses methods to bypass Windows User Account Control (UAC), allowing the execution of payloads with higher privileges.
  • Application Layer Protocol (T1071.001): The group uses HTTPS to conceal command and control (C2) communications, making detection more challenging.
  • Audio Capture (T1123): APT37 employs SOUNDWAVE, an audio capturing utility, to record microphone input, likely for surveillance purposes.
  • Boot or Logon Autostart Execution (T1547.001): They achieve persistence by adding entries in the Registry key HKCU\Software\Microsoft\CurrentVersion\Run.
  • Command and Scripting Interpreter (T1059): The group uses various scripting languages like Ruby, Python, and Visual Basic to execute payloads and perform malicious activities.
  • Credentials from Password Stores (T1555.003): APT37 uses ZUMKONG, a credential stealer, to harvest usernames and passwords from web browsers.
  • Data from Local System (T1005): The group collects sensitive data from victims' local systems.
  • Disk Wipe (T1561.002): They have access to destructive malware capable of overwriting the Master Boot Record (MBR), potentially rendering the infected systems inoperable.
  • Drive-by Compromise (T1189): APT37 uses compromised websites, especially South Korean sites, and torrent file-sharing sites to distribute malware.
  • Exploitation for Client Execution (T1203): The group exploits vulnerabilities in popular software like Flash Player, Word, Internet Explorer, and Microsoft Edge for execution.
  • Ingress Tool Transfer (T1105): APT37 downloads second-stage malware from compromised websites.
  • Inter-Process Communication (T1559.002): The group uses Windows DDE for command execution and malicious scripting.
  • Masquerading (T1036.001): They sign their malware with invalid digital certificates to appear legitimate.
  • Native API (T1106): APT37 leverages Windows API calls for process injection.
  • Obfuscated Files or Information (T1027): The group obfuscates strings and payloads to evade detection.
  • Peripheral Device Discovery (T1120): APT37 uses a Bluetooth device harvester to find information on connected Bluetooth devices.
  • Phishing (T1566.001): They deliver malware using spearphishing emails with malicious attachments.
  • Process Discovery (T1057): The group's Freenki malware lists running processes using the Windows API.
  • Process Injection (T1055): APT37 injects its ROKRAT malware into the cmd.exe process for stealthy execution.
  • Scheduled Task/Job (T1053.005): They create scheduled tasks to run malicious scripts on compromised hosts.
  • System Information Discovery (T1082): APT37 collects detailed system information like computer name and BIOS model.
  • System Owner/User Discovery (T1033): The group identifies the victim's username.
  • System Shutdown/Reboot (T1529): APT37 uses malware that can reboot a system after wiping its MBR.
  • User Execution (T1204.002): The group sends spearphishing attachments to trick users into executing malicious files.
  • Web Service (T1102.002): APT37 uses social networking sites and cloud platforms for C2 communications.

    Software Used by APT37

  • BLUELIGHT: A multifunctional malware tool used for data exfiltration, screen capture, and information gathering.
  • Cobalt Strike: A commercial penetration testing tool repurposed for malicious activities, including command and control.
  • CORALDECK: A tool used for data exfiltration and file discovery.
  • DOGCALL: A multifunctional tool capable of audio capture, keylogging, screen capture, and bidirectional communication.
  • Final1stspy: A tool used for information gathering and obfuscation.
  • HAPPYWORK: A tool for system information discovery and data transfer.
  • KARAE: Used in drive-by compromises and for system information discovery.
  • NavRAT: A tool for command execution, keylogging, and data staging.
  • POORAIM: Used for screen capture, information gathering, and web service communication.
  • ROKRAT: A sophisticated malware variant used for a wide range of activities including audio capture, data exfiltration, and process injection.
  • SHUTTERSPEED: A tool primarily used for screen capture and system information gathering.
  • SLOWDRIFT: A tool for system information discovery and web service communication.
  • WINERACK: A tool used for command execution and system information discovery.

APT37's diverse range of techniques and software tools highlights their capability to conduct sophisticated cyber espionage operations. Their focus on stealth and persistence, coupled with the use of custom tools, makes them a significant threat to their targets.

APT38 Threat Actor Profile
...

Description
...

APT38 is a North Korean state-sponsored threat actor primarily targeting banks and financial institutions. It is believed to be directed by or part of the North Korean Reconnaissance General Bureau (RGB), an intelligence agency responsible for the state's covert operations. APT38 has targeted financial institutions, cryptocurrency entities, SWIFT system users and endpoints, and ATMs in over 35 countries.

Motivation
...

APT38's primary motivation appears to be financial gain, specifically through sophisticated attacks on banks and financial systems worldwide. Their operations include large-scale heists, such as the $81 million theft from the Bank of Bangladesh in 2016.

Names
...

APT38 is the primary name used to identify this group.

Location
...

APT38 is associated with North Korea, operating under the guidance or part of the RGB.

First Seen
...

The group has been active for several years, with notable attacks dating back to at least 2016.

Observed Activities
...

APT38's activities include a wide range of cyberattacks against financial institutions. They have been responsible for significant financial thefts, including the Bank of Bangladesh heist in 2016 and attacks on Bancomext and Banco de Chile in 2018. Their methods involve sophisticated multi-stage attacks, including initial research, compromising targets through various means (like watering holes and exploiting vulnerabilities), conducting reconnaissance within the network, impacting SWIFT servers, exfiltrating funds, and covering their tracks by wiping disks and destroying logs.

Techniques Used by APT38
...

  • Application Layer Protocol (T1071.001): APT38 used QUICKRIDE backdoor for C2 communication over HTTP and HTTPS.
  • Browser Information Discovery (T1217): They collected browser bookmarks to learn about compromised hosts and users.
  • Brute Force (T1110): Employed brute force techniques for account access.
  • Clipboard Data (T1115): Used KEYLIME Trojan to collect clipboard data.
  • Command and Scripting Interpreter (T1059): Utilized PowerShell, VBScript, and a command-line tunneler, NACHOCHEESE, for various operational tasks.
  • Create or Modify System Process (T1543.003): Installed new Windows services for persistence.
  • Data Destruction (T1485): Implemented custom secure delete functions.
  • Data Encrypted for Impact (T1486): Used Hermes ransomware for file encryption.
  • Data Manipulation (T1565): Employed DYEPACK for manipulating SWIFT transactions and data.
  • Disk Wipe (T1561.002): Used BOOTWRECK to render systems inoperable.
  • Drive-by Compromise (T1189): Conducted watering hole schemes for initial access.
  • File and Directory Discovery (T1083): Enumerated files and directories on compromised hosts.
  • Impair Defenses (T1562): Disabled or modified system firewalls and command history logging.
  • Indicator Removal (T1070): Cleared Windows Event logs and used CLOSESHAVE for file deletion.
  • Ingress Tool Transfer (T1105): Used NESTEGG backdoor for file transfers.
  • Input Capture (T1056.001): Captured keystrokes using KEYLIME Trojan.
  • Modify Registry (T1112): Utilized CLEANTOAD tool for registry modifications.
  • Native API (T1106): Executed code using Windows API.
  • Network Share Discovery (T1135): Enumerated network shares.
  • Obfuscated Files or Information (T1027.002): Used various code packing methods.
  • Obtain Capabilities (T1588.002): Acquired and used tools like Mimikatz.
  • Phishing (T1566.001): Spearphishing campaigns with malicious attachments.
  • Process Discovery (T1057): Leveraged Sysmon for process and service discovery.
  • Scheduled Task/Job (T1053): Used cron and Task Scheduler for persistence.
  • Server Software Component (T1505.003): Employed web shells for access and persistence.
  • Software Discovery (T1518.001): Identified security software on compromised systems.
  • System Binary Proxy Execution (T1218): Used CHM files and rundll32.exe for concealed payload execution.
  • System Information Discovery (T1082): Gathered detailed information about compromised hosts.
  • System Network Connections Discovery (T1049): Installed MAPMAKER for monitoring TCP connections.
  • System Owner/User Discovery (T1033): Identified primary and current users.
  • System Services (T1569.002): Created or modified services for execution.
  • System Shutdown/Reboot (T1529): Used BOOTWRECK for system reboots.
  • User Execution (T1204.002): Lured victims to enable malicious macros.

    Software Used by APT38

  • DarkComet (S0334): A multifunctional tool used for various purposes including data collection and system manipulation.
  • ECCENTRICBANDWAGON (S0593): Employed for command execution, data staging, and information removal.
  • HOPLIGHT (S0376): A versatile tool used for data encoding, firewall impairment, and system information discovery.
  • KillDisk (S0607): Used for data destruction and system disruption.
  • Mimikatz (S0002): A well-known tool for credential dumping and authentication manipulation.
  • Net (S0039): Utilized for account discovery, network share discovery, and remote system discovery.

APT38's sophisticated use of these techniques and software tools highlights their capability to conduct complex cyber operations, ranging from data theft and manipulation to system disruption and destruction.

APT39: Overview and Activities
...

APT39, also known as Chafer, Remix Kitten, Cobalt Hickman, TA454, and ITG07, is a cyber espionage group believed to be connected to the Iranian government. This group has been active since at least 2014 and is known for its focus on information theft and espionage. APT39's activities are primarily concentrated in the Middle East, but its targeting scope is global.

Description
...

APT39 was created to consolidate previous activities and methods used by this actor. Its activities largely align with those publicly referred to as “Chafer.” The group leverages backdoors like SEAWEED and CACHEMONEY, along with a specific variant of the POWBAT backdoor. APT39's focus on the telecommunications and travel industries suggests an intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes, and create additional accesses and vectors to facilitate future campaigns. Government entity targeting implies a potential secondary intent to collect geopolitical data beneficial for nation-state decision-making.

Motivation
...

The primary mission of APT39 appears to be tracking or monitoring targets of interest, collecting personal information, including travel itineraries, and gathering customer data from telecommunications firms.

Location and Observed Activities
...

APT39 is based in Iran and has been observed targeting various sectors, including Aviation, Engineering, Government, High-Tech, IT, Shipping and Logistics, Telecommunications, and Transportation. The countries targeted include Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, the UAE, the USA, and other parts of the Middle East.

APT39 (Chafer): Overview and Activities
...

Description
...

APT39, also known as Chafer, Remix Kitten, Cobalt Hickman, TA454, and ITG07, is a cyber espionage group believed to be connected to the Iranian government. It was first seen in 2014 and has been primarily active in the Middle East, targeting various sectors including aviation, engineering, government, high-tech, IT, shipping and logistics, telecommunications, and transportation. The group's activities are concentrated in the Middle East but have a global scope.

APT39's operations are characterized by the use of a variety of tools and techniques, focusing on information theft and espionage. The group has shown a particular interest in the telecommunications sector, as well as the travel industry and IT firms supporting it, and the high-tech industry. Their activities suggest an intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data, and create accesses for future campaigns.

Motivation
...

APT39's primary motivation appears to be tracking or monitoring targets of interest, collecting personal information, including travel itineraries, and gathering customer data from telecommunications firms. The targeting of government entities suggests a secondary intent to collect geopolitical data that may benefit nation-state decision-making.

Names and Affiliations
...

  • Names: Chafer, APT 39, Remix Kitten, Cobalt Hickman, TA454, ITG07
  • Affiliations: Believed to be connected to the Iranian government.

    Location and First Seen

  • Location: Iran
  • First Seen: 2014

    Observed Activities

  • Sectors Targeted: Aviation, Engineering, Government, High-Tech, IT, Shipping and Logistics, Telecommunications, Transportation.
  • Countries Targeted: Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, UAE, USA, and others in the Middle East.

    Techniques Used by APT39

  • Application Layer Protocol: APT39 has utilized HTTP and DNS in communications with their command and control (C2) servers.
  • Archive Collected Data: They have used WinRAR and 7-Zip for compressing and archiving stolen data.
  • BITS Jobs: The group has exploited the BITS protocol to exfiltrate data from compromised hosts.
  • Boot or Logon Autostart Execution: APT39 maintained persistence using the startup folder and by modifying LNK shortcuts.
  • Brute Force: Tools like Ncrack were used to reveal credentials.
  • Clipboard Data: They have employed tools capable of stealing clipboard contents.
  • Command and Scripting Interpreter: APT39 used AutoIt, PowerShell, Visual Basic, and Python for executing malicious scripts.
  • Create Account: They created local accounts on compromised hosts for network activities.
  • Credentials from Password Stores: Tools like Smartftp Password Decryptor were used to decrypt FTP passwords.
  • Data from Local System: Various tools were used to steal files from compromised systems.
  • Deobfuscate/Decode Files or Information: Malware was used to decrypt encrypted files.
  • Event Triggered Execution: Malware was used to establish persistence via AppInit DLLs.
  • Exfiltration Over C2 Channel: Stolen data was exfiltrated through C2 communications.
  • Exploit Public-Facing Application: SQL injection was used for initial compromises.
  • File and Directory Discovery: Tools were employed to search for files on compromised hosts.
  • Indicator Removal: Malware was used to delete files post-deployment.
  • Ingress Tool Transfer: Tools were downloaded to compromised hosts.
  • Input Capture: Tools were used to capture mouse movements and keystrokes.
  • Masquerading: Malware was disguised as legitimate software like Mozilla Firefox.
  • Network Service Discovery: Tools like CrackMapExec and BLUETORCH were used for network scanning.
  • Obfuscated Files or Information: Malware dropped encrypted files and used software packing techniques.
  • Obtain Capabilities: Modified versions of publicly available tools like PLINK and Mimikatz were used.
  • OS Credential Dumping: Various versions of Mimikatz were used to dump credentials.
  • Phishing: Spearphishing emails with malicious attachments and links were used for initial compromises.
  • Proxy: Custom tools were used to create internal and external proxies.
  • Query Registry: Malware strains were used to query the Registry.
  • Remote Services: RDP, SMB, and SSH were used for lateral movement and persistence.
  • Remote System Discovery: Tools like NBTscan were used to discover remote systems.
  • Scheduled Task/Job: Scheduled tasks were created for persistence.
  • Screen Capture: Tools were used to take screenshots on compromised hosts.
  • Server Software Component: Web shells like ANTAK and ASPXSPY were installed.
  • Subvert Trust Controls: Malware was used to modify code signing policies.
  • System Owner/User Discovery: Tools like Remexi were used to collect usernames.
  • System Services: Post-exploitation tools were used for process execution.
  • User Execution: Spearphishing emails were sent to lure users into clicking malicious links or files.
  • Valid Accounts: Stolen credentials were used to compromise Outlook Web Access (OWA).
  • Web Service: C2 communications were conducted through services like DropBox.

    Software Used by APT39

  • ASPXSpy: Used for web shell operations.
  • Cadelspy: Employed for various espionage activities including audio capture and keylogging.
  • CrackMapExec: Used for account discovery, credential dumping, and network reconnaissance.
  • Mimikatz: A key tool for credential dumping and various other malicious activities.
  • NBTscan: Utilized for network service discovery and system reconnaissance.
  • PsExec: Employed for lateral movement and system service execution.
  • pwdump: Used for dumping security account manager credentials.
  • Remexi: A versatile tool used for data exfiltration, screen capture, and more.
  • Windows Credential Editor: Another tool for credential dumping, particularly LSASS memory.

APT39's operations demonstrate a high level of sophistication and a wide range of capabilities in cyber espionage, reflecting their advanced skill set in conducting complex cyber operations.

APT41 - Group Overview
...

Description:
...

APT41, a highly sophisticated cyber threat group, is known for its dual espionage and cybercrime operations. This group, active since at least 2012, has been involved in a range of activities from intellectual property theft to financial gain. APT41's operations are characterized by their complexity and precision, often targeting healthcare, high-tech, telecommunications, higher education, video game, and travel industries.

Motivation:
...

The primary motivation of APT41 appears to be a combination of state-sponsored espionage activities and financially motivated operations. This dual intent is somewhat unique among threat groups, as they engage in espionage to collect intelligence beneficial to the Chinese state while simultaneously pursuing personal financial interests.

Names:
...

APT41 is also known by other aliases, including Barium, Winnti, Wicked Panda, and Wicked Spider. These names reflect the diverse nature of their operations and the various sectors they target.

Location:
...

APT41 is believed to be based in China, with its activities aligning with Chinese state interests.

First Seen:
...

The group has been active since at least 2012, demonstrating a long history of sophisticated cyber operations.

Observed:
...

APT41's operations have been observed worldwide, with a focus on industries that align with China's Five-Year economic development plans. They have targeted organizations globally, including those in the United States, United Kingdom, Germany, Japan, South Korea, and more.

Aquatic Panda

Description
...

Aquatic Panda is a cyber threat group known for its sophisticated cyber operations. The group has been observed using a variety of techniques and tools to infiltrate and compromise target systems, often focusing on vulnerability scanning and data exfiltration.

Motivation
...

The primary motivation of Aquatic Panda appears to be espionage, with activities aimed at acquiring sensitive information from targeted organizations. Their operations suggest a focus on intelligence gathering, which is typical of state-sponsored or state-affiliated cyber espionage groups.

Names
...

Aquatic Panda is the primary name used to identify this group. However, like many cyber threat groups, they may operate under different aliases or be identified differently by various cybersecurity organizations.

Location
...

The specific location of Aquatic Panda is not clearly stated in the available data. However, many cyber espionage groups operate from countries with significant state-sponsored cyber capabilities.

First Seen
...

The exact date when Aquatic Panda was first observed is not provided in the MITRE ATT&CK database.

Observed
...

Aquatic Panda has been observed employing a range of cyber techniques, including active scanning for vulnerabilities, using PowerShell for command execution, and attempting to disable or modify endpoint detection and response (EDR) tools.

The Axiom cyber espionage group, also known as Group G0001, is a sophisticated and long-standing threat actor. Here is a detailed overview based on the information from the MITRE ATT&CK framework:

Description:
...

Axiom is a highly skilled and persistent cyber espionage group. They are known for their advanced techniques and have been involved in numerous high-profile cyber espionage campaigns. The group is adept at using a combination of custom-developed malware and publicly available tools to achieve their objectives.

Motivation:
...

The primary motivation of Axiom appears to be cyber espionage. Their activities are typically focused on stealing sensitive information from a variety of targets, which often include government, technology, and media sectors. The nature of their operations suggests a strong interest in gathering intelligence and conducting surveillance.

Names:
...

Axiom is known by several aliases, including Group G0001. They have been identified and tracked under this designation by various cybersecurity organizations.

Location:
...

The exact location of Axiom is not clearly defined, but they are believed to operate out of China.

First Seen:
...

The exact date of when Axiom was first observed is not specified in the available data.

Observed:
...

Axiom has been involved in a wide range of activities, including acquiring infrastructure like DNS servers and virtual private servers, compressing and encrypting data before exfiltration, and using botnets. They have also been known to collect data from local systems and use steganography for hiding C2 communications.

BackdoorDiplomacy: Overview and Activities
...

Description:

BackdoorDiplomacy is a cyber espionage group known for its sophisticated cyber operations targeting diplomatic entities and telecommunication companies. The group is adept at exploiting public-facing applications and leveraging various sophisticated techniques to infiltrate and maintain presence in victim networks.

Motivation:

The primary motivation of BackdoorDiplomacy appears to be espionage, focusing on gathering sensitive information from diplomatic and telecommunication entities. Their activities are characterized by stealth and persistence, indicating a strategic interest in long-term intelligence gathering.

Names:

BackdoorDiplomacy is the primary name associated with this group. However, it's common for such groups to operate under multiple aliases or to be identified differently by various cybersecurity organizations.

Location:

The specific location of BackdoorDiplomacy is not clearly defined, but their targets often include entities in the Middle East and Africa, suggesting a possible regional focus.

First Seen:

The exact date of when BackdoorDiplomacy first emerged is not specified in the provided sources. However, their activities have been observed over several years, indicating a long-term operation.

Observed Activities:

BackdoorDiplomacy has been observed targeting diplomatic entities and telecommunication companies, exploiting vulnerabilities in public-facing applications, and conducting sophisticated cyber espionage operations.

BITTER APT Group
...

Description:

BITTER is an advanced persistent threat (APT) group known for its targeted cyber espionage campaigns. The group is noted for its sophisticated use of malware and phishing techniques to infiltrate and compromise high-value targets.

Motivation:

The primary motivation of BITTER appears to be espionage, focusing on acquiring sensitive information from targeted organizations and individuals. Their activities suggest an intent to gather intelligence that could be of strategic or political value.

Names:

The group is primarily known as BITTER. However, like many APT groups, it may operate under different aliases or be referred to by different names in cybersecurity reports.

Location:

The specific location of BITTER is not clearly defined in the available information. APT groups often operate across international borders, making it challenging to pinpoint a precise location.

First Seen:

The exact date of when BITTER was first observed is not provided in the available sources. APT groups often operate for some time before being detected.

Observed:

BITTER has been observed using a variety of sophisticated techniques and tools in their operations. They have targeted organizations through spearphishing campaigns and have exploited vulnerabilities in software for initial access and escalation of privileges.

BlackOasis APT Group
...

Description:

BlackOasis is a Middle Eastern threat group, believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. BlackOasis is associated with operations of a group known by Microsoft as Neodymium, although it's not confirmed if these names refer to the same group.

Motivation:

The primary motivation of BlackOasis is information theft and espionage.

Names:

BlackOasis is the name given by Kaspersky. There is a possible association with Neodymium, as identified by Microsoft, but it's not confirmed if these are aliases for the same group.

Location:

BlackOasis is based in the Middle East.

First Seen:

The group was first observed in 2015.

Observed Activities:

BlackOasis has targeted sectors including Media, Think Tanks, activists, and the UN. Geographically, their activities span across various countries including Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, Netherlands, Nigeria, Russia, Saudi Arabia, Tunisia, the UK, and others.

BlackTech (Circuit Panda, Radio Panda)
...

Description:

BlackTech is a suspected Chinese cyber espionage group that has been active since at least 2013. They primarily target organizations in East Asia, particularly Taiwan, Japan, and Hong Kong, as well as the United States. BlackTech employs a combination of custom malware, dual-use tools, and 'living off the land' tactics to compromise networks in various sectors, including media, construction, engineering, electronics, and finance.

Motivation:

The group's primary motivation appears to be information theft and espionage. Their activities are focused on stealing technology and sensitive information from their targets.

Names:

  • BlackTech (Trend Micro)
  • Circuit Panda (CrowdStrike)
  • Radio Panda (CrowdStrike)
  • Palmerworm (Symantec)
  • TEMP.Overboard (FireEye)
  • T-APT-03 (Tencent)

Location:

China

First Seen:

2010

Observed:

BlackTech has been observed targeting sectors such as Construction, Financial, Government, Healthcare, Media, and Technology. Geographically, their activities have been focused on China, Hong Kong, Japan, Taiwan, and the USA.

Blue Mockingbird - Cyber Threat Group
...

Description:
...

Blue Mockingbird is a cyber threat group known for exploiting public-facing applications to gain initial access to victim networks. They have been observed using various techniques such as access token manipulation, command and scripting interpreter, and exploiting vulnerabilities in web applications.

Motivation:
...

The primary motivation of Blue Mockingbird appears to be resource hijacking, specifically for cryptocurrency mining. They use tools like XMRIG to mine cryptocurrency on victim systems.

Names:
...

The group is commonly referred to as Blue Mockingbird.

Location:
...

The specific location of Blue Mockingbird is not clearly identified in the available sources.

First Seen:
...

The exact date of when Blue Mockingbird was first observed is not provided in the available information.

Observed Activities:
...

Blue Mockingbird has been observed engaging in various malicious activities, including:

  • Exploiting CVE-2019-18935, a vulnerability in Telerik UI for ASP.NET AJAX.
  • Using PowerShell and batch script files for command execution.
  • Establishing persistence through methods like Windows Service and WMI Event Subscription.
  • Hijacking execution flow and masquerading their payloads.
  • Using tools like Mimikatz for credential dumping.
  • Establishing proxy connections and using remote services for file transfer.
  • Resource hijacking for cryptocurrency mining.

Bouncing Golf

Bouncing Golf, also known as Domestic Kitten, APT-C-50, and by its MITRE ATT&CK designation G0097, is a cyberespionage campaign primarily targeting Middle Eastern countries. This campaign is believed to be state-sponsored and originates from Iran. It has been active since at least 2016 and is known for its focus on information theft and espionage.

Description
...

  • Bouncing Golf/Domestic Kitten: This campaign is notable for its use of mobile applications loaded with spyware to collect sensitive information. The attackers use fake decoy content to entice victims to download these applications, which then enable the collection of a wide range of data, including contact lists, call records, SMS messages, browser history, geo-location, photos, voice recordings, and more.

    Motivation

  • Information Theft and Espionage: The primary motivation behind Bouncing Golf is to gather sensitive information, particularly from Kurdish and Turkish natives, ISIS supporters, and Iranian citizens. This data is likely used for further actions against these groups.

    Names

  • Aliases: Domestic Kitten (Check Point), APT-C-50 (Check Point), Bouncing Golf (Trend Micro).

    Location

  • Country: Iran.

    First Seen

  • Initial Activity: The campaign was first observed in 2016.

    Observed Activities

  • Target Regions: Afghanistan, Iran, Iraq, Pakistan, Turkey, the UK, the USA, and Uzbekistan.
  • Notable Operations:
    • June 2019: Mobile Campaign ‘Bouncing Golf’ Affects the Middle East.
    • November 2020: Over 1,200 individuals targeted, with more than 600 successful infections across 10 unique campaigns.
    • October 2022: Domestic Kitten campaign using new FurBall malware to spy on Iranian citizens.

Chimera - Group Overview 🕵️‍♂️🌍
...

Description: 📝
...

Chimera is a suspected China-based threat group 🇨🇳 that has been active since at least 2018 📅. This group is known for targeting the semiconductor industry in Taiwan 🏭 as well as obtaining data from the airline industry ✈️.

Motivation: 💭
...

While the specific motivations of Chimera are not detailed in the provided text, their targeting of the semiconductor 🧬 and airline industries ✈️ suggests a focus on industrial espionage 🕵️‍♀️ and possibly intellectual property theft 🚨.

Names: 📛
...

The group is primarily known as Chimera 🐉.

Location: 🌏
...

Chimera is suspected to be based in China 🇨🇳.

First Seen: 👀
...

The group has been active since at least 2018 📅.

Observed: 🔍
...

Chimera has been observed engaging in sophisticated cyber espionage activities 🖥️, particularly targeting the semiconductor industry in Taiwan 🏭 and the airline industry ✈️ for data exfiltration and possibly intellectual property theft 🚨.

Techniques Used in all tactics
...

No. Technique Description
1 Account Discovery Used net user for local and domain account discovery.
2 Application Layer Protocol Utilized HTTPS and DNS for C2 communications.
3 Archive Collected Data Employed gzip and modified RAR software for archiving data.
4 Automated Collection Used custom DLLs for continuous data retrieval.
5 Browser Information Discovery Executed commands for bookmark discovery.
6 Brute Force Engaged in password spraying and credential stuffing attacks.
7 Command and Scripting Interpreter Used PowerShell scripts and Windows Command Shell for execution.
8 Data from Information Repositories Collected documents from SharePoint.
9 Data from Network Shared Drive Retrieved data from network shares.
10 Data Staged Staged stolen data locally and remotely.
11 Domain Trust Discovery Used nltest to identify domain trust relationships.
12 Email Collection Harvested data from local and remote email collections.
13 Exfiltration Over C2 Channel Used Cobalt Strike C2 beacons for data exfiltration.
14 Exfiltration Over Web Service Exfiltrated data to OneDrive accounts.
15 External Remote Services Accessed external VPN, Citrix, SSH, and other services.
16 File and Directory Discovery Identified data of interest in file and directory listings.
17 Gather Victim Identity Information Collected credentials from previous breaches.
18 Hijack Execution Flow Employed DLL side-loading.
19 Indicator Removal Cleared event logs, performed file deletion, and used timestomp.
20 Ingress Tool Transfer Remotely copied tools and malware onto targeted systems.
21 Lateral Tool Transfer Copied tools between compromised hosts using SMB.
22 Masquerading Renamed malware to mimic legitimate applications.
23 Modify Authentication Process Altered NTLM authentication on domain controllers.
24 Multi-Factor Authentication Interception Registered alternate phone numbers for 2FA interception.
25 Native API Used direct Windows system calls.

Software Used by Chimera
...

No. Software Used
1 BloodHound
2 Cobalt Strike
3 esentutl
4 Mimikatz
5 Net
6 PsExec

Chimera's use of these software tools demonstrates their capabilities in conducting sophisticated cyber espionage operations, including credential theft, lateral movement, and data exfiltration.

🕵️‍♂️ Cleaver - Group Overview 🇮🇷
...

📜 Description:
...

Cleaver is a formidable threat group attributed to Iranian actors, responsible for the activities tracked as Operation Cleaver. The group is known for its sophisticated cyber operations and has been linked to Threat Group 2889 (TG-2889).

💡 Motivation:
...

While the specific motivations of Cleaver are not detailed in the provided text, their advanced cyber operations suggest objectives aligned with state-sponsored espionage or intelligence gathering.

📛 Names:
...

Cleaver is also associated with Threat Group 2889 (TG-2889).

🌍 Location:
...

Cleaver is attributed to Iranian actors.

📅 First Seen:
...

Unfortunately, the specific date of their inaugural activity remains shrouded in mystery within the provided text.

👀 Observed:
...

Cleaver has been keenly observed employing a range of sophisticated techniques and tools for cyber operations, including ARP cache poisoning, creating customized tools and payloads, and establishing fake social media accounts. 🌐👁️‍🗨️🌐

Techniques Used in all tactics
...

No. Tactic/Technique Description
1 Adversary-in-the-Middle: ARP Cache Poisoning Cleaver has used custom tools for ARP cache poisoning.
2 Develop Capabilities: Malware Created customized tools and payloads for various functions including encryption, credential dumping, and network interface sniffing.
3 Establish Accounts: Social Media Accounts Created fake LinkedIn profiles with detailed information and connections.
4 Obtain Capabilities: Tool Obtained and used open-source tools like PsExec, Windows Credential Editor, and Mimikatz.
5 OS Credential Dumping: LSASS Memory Known for dumping credentials using Mimikatz and Windows Credential Editor.

Software Used by Cleaver
...

  1. Mimikatz - Used for various purposes including access token manipulation, credential dumping, and account manipulation.
  2. Net Crawler - Employed for password cracking, OS credential dumping, and accessing remote services.
  3. PsExec - Utilized for creating accounts, modifying system processes, lateral tool transfer, and executing system services.
  4. TinyZBot - Used for autostart execution, clipboard data capture, command execution, impairing defenses, input capture, and screen capture.

Cleaver's use of these software tools demonstrates their capabilities in conducting complex cyber operations, including credential theft, lateral movement, and maintaining access within targeted networks.

🏴 Cobalt Group - Group Overview 🏴
...

📜 Description:
...

The Cobalt Group 🏦 is a financially motivated threat group that has been primarily targeting financial institutions since at least 2016. The group is known for conducting intrusions to steal money 💰 by targeting ATM systems 🏧, card processing 💳, payment systems 💸, and SWIFT systems 🌐. Cobalt Group has mainly targeted banks 🏛️ in Eastern Europe 🌍, Central Asia 🗺️, and Southeast Asia 🌏.

💡 Motivation:
...

The primary motivation of the Cobalt Group is financial gain 💲, achieved through sophisticated cyber intrusions into banking systems 🏦 and financial infrastructure 💼.

📛 Names:
...

Cobalt Group is also known as GOLD KINGSWOOD 👑, Cobalt Gang 🕴️, and Cobalt Spider 🕷️.

🌍 Location:
...

The specific location of the Cobalt Group is not mentioned 🌐, but they have targeted banks 🏛️ in Eastern Europe 🌍, Central Asia 🗺️, and Southeast Asia 🌏.

📅 First Seen:
...

Cobalt Group has been active since at least 2016 📆.

👀 Observed:
...

The group has been observed conducting sophisticated cyberattacks on financial institutions, including ATM systems 🏧 and SWIFT systems 🌐. Despite the arrest of one of its alleged leaders in Spain 🇪🇸 in early 2018, the group remains active 🔒.

Techniques Used in all tactics
...

No. Technique Description
1 Abuse Elevation Control Mechanism: Bypass User Account Control Cobalt Group has bypassed UAC.
2 Application Layer Protocol: Web Protocols, DNS Used HTTPS and DNS tunneling for C2.
3 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Used Registry Run keys and Startup path for persistence.
4 Boot or Logon Initialization Scripts: Logon Script (Windows) Added persistence via HKCU\Environment\UserInitMprLogonScript.
5 Command and Scripting Interpreter: PowerShell, Windows Command Shell, Visual Basic, JavaScript Executed various scripting languages for malicious activities.
6 Create or Modify System Process: Windows Service Created new services for persistence.
7 Encrypted Channel: Asymmetric Cryptography Used Plink utility for SSH tunnels.
8 Exploitation for Client Execution Exploited multiple vulnerabilities for execution.
9 Exploitation for Privilege Escalation Used exploits to increase privileges.
10 Indicator Removal: File Deletion Deleted DLL dropper to cover tracks.
11 Ingress Tool Transfer Used public sites to upload and download files.
12 Inter-Process Communication: Dynamic Data Exchange Sent malicious Word OLE compound documents.
13 Network Service Discovery Leveraged SoftPerfect Network Scanner for scanning.
14 Obfuscated Files or Information: Command Obfuscation Obfuscated scriptlets and code.
15 Obtain Capabilities: Tool Obtained and used tools like Mimikatz, PsExec, Cobalt Strike, and SDelete.
16 Phishing: Spearphishing Attachment, Spearphishing Link Sent spearphishing emails with various attachments and links.
17 Process Injection Injected code into trusted processes.
18 Protocol Tunneling Used Plink utility for SSH tunnels.
19 Remote Access Software Used Ammyy Admin and TeamViewer for remote access.
20 Remote Services: Remote Desktop Protocol Used RDP for lateral movement.
21 Scheduled Task/Job: Scheduled Task Created Windows tasks for persistence.
22 Software Discovery: Security Software Discovery Collected list of security solutions installed.
23 Supply Chain Compromise: Compromise Software Supply Chain Compromised legitimate web browser updates.
24 System Binary Proxy Execution: CMSTP, Odbcconf, Regsvr32 Used various system binaries for proxy execution.
25 User Execution: Malicious Link, Malicious File Sent emails with malicious links and files.
26 XSL Script Processing Used msxsl.exe to bypass AppLocker.

Software Used by Cobalt Group
...

No. Tool Purpose
1 Cobalt Strike Used for a variety of purposes including network discovery, process injection, and data exfiltration.
2 Mimikatz Utilized for credential dumping and access token manipulation.
3 More_eggs Employed for web protocol communication, command execution, and information discovery.
4 PsExec Used for creating accounts, modifying system processes, and executing system services.
5 SDelete Used for data destruction and file deletion.
6 SpicyOmelette Utilized for command execution, phishing, and software discovery.

Cobalt Group's use of these software tools demonstrates their focus on financial theft, maintaining access, privilege escalation, and lateral movement within targeted financial networks.

🧐 Confucius - Group Overview 🌏
...

📜 Description:
...

Confucius is a cyber espionage group primarily targeting military personnel 🎖️, high-profile personalities 👤, business persons 🕴️, and government organizations 🏛️ in South Asia 🌏 since at least 2013. The group is known for its custom malware code 💻 and targets, with noted similarities to the Patchwork group 🧩.

💡 Motivation:
...

The primary motivation of Confucius appears to be espionage 🕵️, focusing on gathering sensitive information 📁 from military 🎖️, governmental 🏛️, and high-profile targets 👤 in South Asia 🌏.

📛 Names:
...

Confucius is also referred to as Confucius APT 🏷️.

🌍 Location:
...

Confucius primarily targets entities in South Asia 🌏.

📅 First Seen:
...

The group has been active since at least 2013 📆.

👀 Observed:
...

Confucius has been observed engaging in sophisticated cyber espionage activities, utilizing custom malware 💻 and various techniques 🛠️ to infiltrate and extract information 📜 from its targets 🎯.

Techniques Used in all tactics
...

No. Technique Description
1 Acquire Infrastructure: Web Services Obtained cloud storage service accounts to host stolen data.
2 Application Layer Protocol: Web Protocols Used HTTP for C2 communications.
3 Automated Collection Employed a file stealer to steal documents and images.
4 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Dropped malicious files into the startup folder for persistence.
5 Command and Scripting Interpreter: PowerShell, Visual Basic Executed PowerShell and VBScript for malicious activities.
6 Exfiltration Over C2 Channel Exfiltrated stolen files to its C2 server.
7 Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltrated data to cloud storage service accounts.
8 Exploitation for Client Execution Exploited Microsoft Office vulnerabilities for execution.
9 File and Directory Discovery Used a file stealer to check specific folders for documents and images.
10 Ingress Tool Transfer Downloaded additional files and payloads onto compromised hosts.
11 Phishing: Spearphishing Attachment, Spearphishing Link Crafted and sent malicious attachments and links to gain initial access.
12 Scheduled Task/Job: Scheduled Task Created scheduled tasks for persistence.
13 System Binary Proxy Execution: Mshta Used mshta.exe to execute malicious VBScript.
14 System Information Discovery Examined system drives for information.
15 Template Injection Used weaponized Microsoft Word documents with embedded RTF exploits.
16 User Execution: Malicious Link, Malicious File Lured victims to click on malicious links or execute malicious attachments.

Software Used by Confucius
...

No. Software Purpose
1 Hornbill Used for various purposes including audio capture, data exfiltration, and screen capture.
2 Sunbird Employed for audio capture, data exfiltration, and location tracking.
3 WarzoneRAT Utilized for command execution, credential theft, and process injection.

Confucius's use of these software tools demonstrates their capabilities in conducting targeted cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.

🐱 CopyKittens - Group Overview 🌐
...

📜 Description:
...

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. The group has targeted various countries, including Israel 🇮🇱, Saudi Arabia 🇸🇦, Turkey 🇹🇷, the U.S. 🇺🇸, Jordan 🇯🇴, and Germany 🇩🇪. It is responsible for the campaign known as Operation Wilted Tulip 🌷.

💡 Motivation:
...

The primary motivation of CopyKittens appears to be espionage 🕵️, focusing on gathering sensitive information 📄 from a range of international targets 🌍.

📛 Names:
...

CopyKittens is the primary name used to identify this group 🏷️.

🌍 Location:
...

CopyKittens is an Iranian group 🇮🇷, targeting entities in countries such as Israel 🇮🇱, Saudi Arabia 🇸🇦, Turkey 🇹🇷, the U.S. 🇺🇸, Jordan 🇯🇴, and Germany 🇩🇪.

📅 First Seen:
...

The group has been active since at least 2013 📆.

👀 Observed:
...

CopyKittens has been observed conducting cyber espionage activities 🌐, utilizing various techniques 🛠️ and tools 🖥️ to infiltrate and extract information 📜 from its targets 🎯.

Techniques Used in all tactics
...

No. Technique Description
1 Archive Collected Data: Archive via Utility, Archive via Custom Method Used ZPP to compress files with ZIP and encrypted data with a substitute cipher.
2 Command and Scripting Interpreter: PowerShell Utilized PowerShell Empire for execution.
3 Hide Artifacts: Hidden Window Concealed PowerShell windows using hidden flags.
4 Obtain Capabilities: Tool Used tools such as Metasploit, Empire, and AirVPN.
5 Proxy Employed the AirVPN service for operational activity.
6 Subvert Trust Controls: Code Signing Digitally signed an executable with a stolen certificate.
7 System Binary Proxy Execution: Rundll32 Used rundll32 to load various tools, including lateral movement tools and Cobalt Strike.

Software Used by CopyKittens
...

No. Software Purpose
1 Cobalt Strike Employed for a variety of purposes including network discovery, process injection, and data exfiltration.
2 Empire Utilized for command execution, credential dumping, and lateral movement.
3 Matryoshka Used for DNS communication, keylogging, and screen capture.
4 TDTESS Employed for command execution, process creation, and indicator removal.

CopyKittens' use of these software tools demonstrates their capabilities in conducting targeted cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.

☢️ CURIUM - Group Overview 🇮🇷
...

📜 Description:
...

CURIUM is an Iranian threat group first reported in November 2021. The group is known for its unique approach of investing time to build relationships with potential targets via social media 📱 over several months. This method is used to establish trust and confidence before sending malware 💻. CURIUM demonstrates great patience and persistence, engaging in daily chats 💬 with potential targets and sending benign files 📁 to lower their security consciousness.

💡 Motivation:
...

While the specific motivations of CURIUM are not detailed in the provided text, their methodical approach to targeting individuals suggests objectives aligned with espionage 🕵️ or intelligence gathering 📡.

📛 Names:
...

CURIUM is the primary name used to identify this group 🏷️.

🌍 Location:
...

CURIUM is identified as an Iranian threat group 🇮🇷.

📅 First Seen:
...

The group was first reported in November 2021 📆.

👀 Observed:
...

CURIUM has been observed using social engineering tactics 🎭, particularly through social media 📱, to engage with and eventually compromise targets. Their approach indicates a focus on individual targets rather than broad, indiscriminate campaigns 🎯.

Techniques Used in all tactics
...

No. Tactic/Technique Description
1 Data from Local System CURIUM has exfiltrated data from compromised machines.
2 Establish Accounts: Social Media Accounts Established fictitious social media accounts, including on Facebook and LinkedIn, to build relationships with victims, often posing as an attractive woman.
3 Phishing: Spearphishing via Service Used social media to deliver malicious files to victims.
4 User Execution: Malicious File Lured users into opening malicious files delivered via social media.

Software Used by CURIUM
...

The specific software tools used by CURIUM are not detailed in the provided text. However, their tactics suggest the use of custom malware and social engineering tools designed to engage targets and deliver malicious payloads through social media platforms.

CURIUM's approach, focusing on establishing trust through social media interactions before deploying malicious payloads, highlights their methodical and patient strategy in cyber espionage operations.

🦅 Dark Caracal - Group Overview 🇱🇧
...

📜 Description:
...

Dark Caracal is a threat group attributed to the Lebanese General Directorate of General Security (GDGS). It has been operational since at least 2012 and is known for its global cyber-espionage campaigns 🌐.

💡 Motivation:
...

While the specific motivations of Dark Caracal are not detailed in the provided text, the group's activities suggest a focus on espionage 🕵️, likely driven by national security 🛡️ or political interests 🗳️.

📛 Names:
...

Dark Caracal is the primary name used to identify this group 🏷️.

🌍 Location:
...

Dark Caracal is attributed to the Lebanese General Directorate of General Security (GDGS) 🇱🇧.

📅 First Seen:
...

The group has been active since at least 2012 📆.

👀 Observed:
...

Dark Caracal has been observed conducting cyber-espionage activities 🌐, utilizing various techniques 🛠️ to infiltrate systems, collect data 📈, and maintain persistence 🔒.

Techniques Used in all tactics
...

No. Technique Description
1 Application Layer Protocol: Web Protocols Used HTTP for C2 communications with Base64 encoded payloads.
2 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Added a registry key for persistence.
3 Command and Scripting Interpreter: Windows Command Shell Used macros in Word documents to download a second stage.
4 Data from Local System Collected contents of the 'Pictures' folder from compromised Windows systems.
5 Drive-by Compromise Leveraged a watering hole to serve up malicious code.
6 File and Directory Discovery Collected file listings of all default Windows directories.
7 Obfuscated Files or Information Obfuscated strings in Bandook.
8 Phishing: Spearphishing via Service Spearphished victims via Facebook and Whatsapp.
9 Screen Capture Took screenshots using their Windows malware.
10 System Binary Proxy Execution: Compiled HTML File Leveraged a compiled HTML file to download and run an executable.
11 User Execution: Malicious File Made malware appear like common file types to entice user interaction.

Software Used by Dark Caracal
...

No. Software Purpose
1 Bandook Used for various purposes including audio capture, data exfiltration, and screen capture.
2 CrossRAT Employed for file and directory discovery and screen capture.
3 FinFisher Utilized for privilege escalation, file discovery, and input capture.
4 Pallas Used for audio capture, location tracking, and data exfiltration.

Dark Caracal's use of these software tools demonstrates their capabilities in conducting sophisticated cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.

🏨 Darkhotel - Group Overview 🇰🇷
...

📜 Description:
...

Darkhotel is a suspected South Korean threat group that has been active since at least 2004. The group is known for its cyber espionage operations 🌐 conducted via hotel Internet networks 🏨 against traveling executives 👨‍💼 and other select guests 🌐. Darkhotel has also engaged in spearphishing campaigns 🎣 and infected victims through peer-to-peer and file-sharing networks 📂.

💡 Motivation:
...

While the specific motivations of Darkhotel are not detailed in the provided text, their targeting of executives 👔 and use of espionage tactics 🕵️ suggest motivations related to intelligence gathering 📡, possibly for economic 💰 or political 🗳️ advantage.

📛 Names:
...

Darkhotel is also associated with the name DUBNIUM 🏷️.

🌍 Location:
...

Darkhotel is suspected to be based in South Korea 🇰🇷 and primarily targets victims in East Asia 🌏.

📅 First Seen:
...

The group has been operational since at least 2004 📆.

👀 Observed:
...

Darkhotel has been observed conducting sophisticated cyber espionage activities 🌐, utilizing various techniques 🛠️ to infiltrate systems, collect data 📊, and maintain persistence 🔒.

Techniques Used in all tactics
...

No. Technique Description
1 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Established persistence by adding programs to the Run Registry key.
2 Command and Scripting Interpreter: Windows Command Shell Dropped a shell script to download and execute files.
3 Deobfuscate/Decode Files or Information Decrypted strings and imports using RC4, XOR, and RSA.
4 Drive-by Compromise Used embedded iframes on hotel login portals for malware distribution.
5 Encrypted Channel: Symmetric Cryptography Used AES-256 and 3DES for C2 communications.
6 Exploitation for Client Execution Exploited Adobe Flash vulnerability for execution.
7 File and Directory Discovery Searched for files with specific patterns.
8 Ingress Tool Transfer Downloaded additional malware from C2 servers.
9 Input Capture: Keylogging Employed keyloggers.
10 Masquerading: Match Legitimate Name or Location Disguised malware as an SSH tool.
11 Obfuscated Files or Information Obfuscated code using RC4, XOR, and RSA.
12 Phishing: Spearphishing Attachment Sent spearphishing emails with malicious attachments.
13 Process Discovery Collected a list of running processes.
14 Replication Through Removable Media Modified executables on removable media for spreading.
15 Software Discovery: Security Software Discovery Searched for anti-malware strings and processes.
16 Subvert Trust Controls: Code Signing Used stolen or forged code-signing certificates.
17 System Information Discovery Collected system information from compromised hosts.
18 System Network Configuration Discovery Gathered IP address and network adapter information.
19 System Time Discovery Obtained system time from compromised hosts.
20 Taint Shared Content Propagated by infecting executables on shared drives.
21 User Execution: Malicious File Lured users into clicking on malicious attachments.
22 Virtualization/Sandbox Evasion Employed just-in-time decryption and system checks to evade detection.

Software Used by Darkhotel
...

No. Software Purpose
1 Bandook Used for various purposes including audio capture, data exfiltration, and screen capture.
2 CrossRAT Employed for file and directory discovery and screen capture.
3 FinFisher Utilized for privilege escalation, file discovery, and input capture.
4 Pallas Used for audio capture, location tracking, and data exfiltration.

Darkhotel's use of these software tools demonstrates their capabilities in conducting targeted cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.

🌊 DarkHydrus - Group Overview 🏛️
...

📜 Description:
...

DarkHydrus is a threat group that has been actively targeting government agencies 🏛️ and educational institutions 🎓 in the Middle East 🌍 since at least 2016. The group is known for heavily leveraging open-source tools 🛠️ and custom payloads 💾 to carry out its attacks.

💡 Motivation:
...

While the specific motivations of DarkHydrus are not detailed in the provided text, their targeting of government 🏛️ and educational institutions 🎓 suggests objectives related to espionage 🕵️ or intelligence gathering 📡, possibly for political 🗳️ or strategic 🌐 purposes.

📛 Names:
...

DarkHydrus is the primary name used to identify this group 🏷️.

🌍 Location:
...

DarkHydrus primarily targets entities in the Middle East 🌍.

📅 First Seen:
...

The group has been active since at least 2016 📆.

👀 Observed:
...

DarkHydrus has been observed using a variety of techniques 🛠️ to infiltrate systems 💻, execute commands ⌨️, and exfiltrate data 📤, focusing on government agencies 🏛️ and educational institutions 🎓.

Techniques Used in all tactics
...

No. Technique Description
1 Command and Scripting Interpreter: PowerShell Leveraged PowerShell to download and execute additional scripts.
2 Forced Authentication Used Template Injection to launch an authentication window for credential harvesting.
3 Hide Artifacts: Hidden Window Concealed PowerShell windows.
4 Obtain Capabilities: Tool Obtained and used tools like Mimikatz, Empire, and Cobalt Strike.
5 Phishing: Spearphishing Attachment Sent spearphishing emails with malicious attachments, including password-protected RAR archives and Microsoft Office documents.
6 Template Injection Used Phishery to inject malicious remote template URLs into Word documents.
7 User Execution: Malicious File Required users to enable execution in Microsoft Excel for .iqy file download.

Software Used by DarkHydrus
...

No. Software Purpose
1 Cobalt Strike Used for various purposes including command execution, data encoding, and process injection.
2 Mimikatz Employed for credential dumping and access token manipulation.
3 RogueRobin Utilized for command execution, data encoding, and screen capture.

DarkHydrus's use of these software tools demonstrates their capabilities in conducting sophisticated cyber espionage operations, including credential theft, surveillance, and maintaining access within targeted networks.

💰 DarkVishnya - Group Overview 🏦
...

📜 Description:
...

DarkVishnya is a financially motivated threat actor known for targeting financial institutions 🏦 in Eastern Europe 🌍. The group has been active in conducting sophisticated cyberattacks 🌐 against at least eight banks 🏛️ in the region during 2017-2018.

💡 Motivation:
...

The primary motivation of DarkVishnya appears to be financial gain 💰, as evidenced by their focus on attacking financial institutions 🏦.

📛 Names:
...

The group is known as DarkVishnya 🏷️.

🌍 Location:
...

DarkVishnya has primarily targeted financial institutions 🏦 in Eastern Europe 🌍.

📅 First Seen:
...

The group's activities were first reported in 2017 📆.

👀 Observed:
...

DarkVishnya has been observed using a variety of techniques 🛠️ to infiltrate financial institutions 🏦, execute commands ⌨️, and potentially exfiltrate sensitive financial data 📈.

Techniques Used in all tactics
...

No. Technique Description
1 Brute Force (T1110) DarkVishnya used brute-force attacks to obtain login data.
2 Command and Scripting Interpreter: PowerShell (T1059.001) Utilized PowerShell to create shellcode loaders.
3 Create or Modify System Process: Windows Service (T1543.003) Created new services for distributing shellcode loaders.
4 Hardware Additions (T1200) Employed devices like Bash Bunny, Raspberry Pi, netbooks, or inexpensive laptops to connect to local networks.
5 Network Service Discovery (T1046) Performed port scanning to identify active services.
6 Network Share Discovery (T1135) Scanned for public shared folders on the network.
7 Network Sniffing (T1040) Used network sniffing techniques to obtain login data.
8 Non-Standard Port (T1571) Utilized ports 5190, 7900, 4444, 4445, and 31337 for shellcode listeners and C2 communications.
9 Obtain Capabilities: Tool (T1588.002) Acquired and used tools like Impacket, Winexe, and PsExec.
10 Remote Access Software (T1219) Employed DameWare Mini Remote Control for lateral movement within networks.

Software Used by DarkVishnya
...

No. Software Purpose
1 PsExec Used for creating accounts, modifying system processes, lateral tool transfer, and executing system services.
2 Winexe Utilized for executing system services.

DarkVishnya's tactics and tools indicate a high level of sophistication in conducting targeted attacks against financial institutions, with a clear focus on gaining unauthorized access, conducting surveillance, and potentially facilitating financial fraud or theft.

🐼 Deep Panda - Group Overview 🇨🇳
...

📜 Description:
...

Deep Panda is a sophisticated and suspected Chinese threat group 🇨🇳 known for targeting a wide range of industries, including government 🏛️, defense 🛡️, financial 💰, and telecommunications 📡 sectors. The group has been active for several years 📆 and is known for its advanced cyber espionage tactics 🌐.

💡 Motivation:
...

Deep Panda's primary motivation appears to be cyber espionage 🕵️, gathering intelligence 📊 and sensitive information 📄 from targeted organizations 🎯 and government entities 🏛️.

📛 Names:
...

Deep Panda is also known by several other names 🏷️, including Shell Crew 🐚, WebMasters 🌐, KungFu Kittens 🥋, PinkPanther 🐾, and Black Vine 🍇.

🌍 Location:
...

While the specific location of Deep Panda is not explicitly mentioned 🌏, it is suspected to be based in China 🇨🇳.

📅 First Seen:
...

Deep Panda's activities have been observed for several years 📆, with significant operations noted as early as 2014.

👀 Observed:
...

Deep Panda has been observed targeting a variety of sectors 🏢 with sophisticated cyber espionage campaigns 🌐. The group's intrusion into the healthcare company Anthem 🏥 is one of its most notable operations.

Techniques Used in all tactics
...

No. Technique Description
1 Command and Scripting Interpreter: PowerShell (T1059.001) Used PowerShell scripts for downloading and executing programs in memory.
2 Event Triggered Execution: Accessibility Features (T1546.008) Utilized the sticky-keys technique to bypass RDP login screens.
3 Hide Artifacts: Hidden Window (T1564.003) Concealed PowerShell windows using the -w hidden parameter.
4 Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) Updated and modified malware to evade detection.
5 Process Discovery (T1057) Employed Microsoft Tasklist utility for listing running processes.
6 Remote Services: SMB/Windows Admin Shares (T1021.002) Used net.exe for connecting to network shares.
7 Remote System Discovery (T1018) Utilized ping for identifying other machines of interest.
8 Server Software Component: Web Shell (T1505.003) Deployed Web shells on public web servers.
9 System Binary Proxy Execution: Regsvr32 (T1218.010) Executed server variant of Derusbi using regsvr32.exe.
10 Windows Management Instrumentation (T1047) Used WMI for lateral movement.

Software Used by Deep Panda
...

No. Software Purpose
1 Derusbi A multifunctional malware toolkit used for various malicious activities.
2 Mivast Employed for autostart execution and credential dumping.
3 Net Utilized for account discovery, network share discovery, and remote services.
4 Ping Used for remote system discovery.
5 Sakula A backdoor used for gaining persistent access and executing malicious activities.
6 StreamEx Employed for command execution, registry modification, and information gathering.
7 Tasklist Used for process and software discovery.

Deep Panda's operations demonstrate a high level of sophistication and focus on long-term intelligence gathering. The group's use of advanced techniques and custom malware indicates a well-resourced and skilled adversary capable of conducting significant cyber espionage campaigns.

🐉 Dragonfly - Group Overview 🇷🇺
...

📜 Description:
...

Dragonfly is a cyber espionage group attributed to Russia's Federal Security Service (FSB) Center 16 🇷🇺. Active since at least 2010, Dragonfly has targeted defense 🛡️ and aviation ✈️ companies, government entities 🏛️, companies related to industrial control systems 🏭, and critical infrastructure sectors 🏭🌐 worldwide. The group employs supply chain attacks ⛓️, spearphishing 🎣, and drive-by compromise attacks 🖥️ in its operations.

💡 Motivation:
...

Dragonfly's primary motivation appears to be cyber espionage 🕵️, focusing on gathering intelligence 📈 and compromising critical infrastructure 🏭 for strategic advantage 🌍.

📛 Names:
...

Dragonfly is also known by various aliases 🏷️, including TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, and Energetic Bear.

🌍 Location:
...

Dragonfly is believed to be operating out of Russia 🇷🇺.

📅 First Seen:
...

The group has been active since at least 2010 📆.

👀 Observed:
...

Dragonfly has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors 🏢, particularly those related to national security 🛡️ and critical infrastructure 🏭.

Techniques Used in all tactics
...

No. Technique Description
1 Account Discovery (T1087.002) Used batch scripts for user enumeration on domain controllers.
2 Account Manipulation (T1098) Added new accounts to administrators group for elevated access.
3 Acquire Infrastructure (T1583.001 & .003) Registered domains and acquired VPS infrastructure for campaigns.
4 Active Scanning (T1595.002) Scanned systems for vulnerable services.
5 Application Layer Protocol (T1071.002) Used SMB for command and control (C2) communications.
6 Archive Collected Data (T1560) Compressed data into .zip files for exfiltration.
7 Boot or Logon Autostart Execution (T1547.001) Established persistence via Registry Run keys.
8 Brute Force (T1110 & .002) Attempted to brute force credentials and used password cracking tools.
9 Command and Scripting Interpreter (T1059 & sub-techniques) Utilized various scripting methods, including PowerShell, batch scripts, and Python for execution.
10 Compromise Infrastructure (T1584.004) Compromised legitimate websites for C2 and malware hosting.
11 Create Account (T1136.001) Created local accounts on victims.
12 Data from Local System (T1005) Collected data from local systems.
13 Data Staged (T1074.001) Staged data in specific directories for exfiltration.
14 Drive-by Compromise (T1189) Used strategic web compromise with exploit kits.
15 Email Collection (T1114.002) Accessed email accounts using Outlook Web Access.
16 Exploit Public-Facing Application (T1190) Exploited vulnerabilities in public-facing applications.
17 Exploitation for Client Execution (T1203) Exploited Adobe Flash Player vulnerability for execution.
18 Exploitation of Remote Services (T1210) Exploited Windows Netlogon vulnerability.
19 External Remote Services (T1133) Used VPNs and OWA for persistent access.
20 File and Directory Discovery (T1083) Gathered file and folder names from hosts.
21 Forced Authentication (T1187) Collected hashed credentials via spearphishing and .LNK file modifications.
22 Gather Victim Org Information (T1591.002) Collected open-source information for targeting.
23 Hide Artifacts (T1564.002) Modified Registry to hide user accounts.
24 Impair Defenses (T1562.004) Disabled host-based firewalls and opened specific ports.
25 Indicator Removal (T1070.001 & .004) Cleared event logs and deleted files used in operations.
26 Ingress Tool Transfer (T1105) Transferred tools for operations within victim environments.
27 Masquerading (T1036) Created accounts disguised as legitimate service accounts.
28 Modify Registry (T1112) Used Reg for various techniques.
29 Network Share Discovery (T1135) Identified and browsed file servers in victim networks.
30 Obtain Capabilities (T1588.002) Used tools like Mimikatz, CrackMapExec, and PsExec.
31 OS Credential Dumping (T1003 & sub-techniques) Used tools to dump password hashes and credentials.

Software Used by Dragonfly
...

No. Software Purpose
1 Backdoor.Oldrea A multifunctional backdoor used for various malicious activities.
2 CrackMapExec A tool used for network reconnaissance and credential dumping.
3 Impacket A collection of Python classes for working with network protocols.
4 MCMD A malware used for command execution and data exfiltration.
5 Mimikatz A tool used for credential dumping and lateral movement.
6 Net A Windows command-line tool used for network reconnaissance and remote access.
7 netsh A command-line scripting utility used to modify network configurations.
8 PsExec A tool for executing processes on remote systems.
9 Reg A command-line tool for modifying the Windows Registry.

🐉 DragonOK - Group Overview 🇯🇵
...

📜 Description:
...

DragonOK is a cyber threat group known for targeting Japanese organizations 🇯🇵 through phishing emails 📧. The group's activities are characterized by the use of a variety of malware 💻 and sophisticated techniques 🌐.

💡 Motivation:
...

The primary motivation of DragonOK appears to be cyber espionage 🕵️, focusing on obtaining sensitive information 📄 from Japanese entities 🏢.

📛 Names:
...

DragonOK is the primary name used to identify this group 🏷️. It is also thought to have a direct or indirect relationship with the threat group Moafee 🕊️.

🌍 Location:
...

The specific location of DragonOK is not clearly identified 🌏, but its targeting of Japanese organizations suggests a focus in East Asia 🌐.

📅 First Seen:
...

The group was first identified in reports dating back to at least 2014 📆.

👀 Observed:
...

DragonOK has been observed conducting targeted phishing campaigns 🎣 and deploying a range of custom malware 💻 against Japanese targets 🇯🇵.

Techniques Used in all tactics
...

DragonOK employs various techniques across different tactics, including but not limited to:

No. Technique Description
1 Application Layer Protocol Utilizes web protocols and DNS for communication.
2 Boot or Logon Autostart Execution Adds programs to the Registry Run keys and Startup folder for persistence.
3 Command and Scripting Interpreter Uses Windows Command Shell for execution.
4 Create or Modify System Process Creates Windows services for its malicious processes.
5 Deobfuscate/Decode Files or Information Employs techniques to decode or deobfuscate files.
6 Encrypted Channel Uses symmetric cryptography for secure communication.
7 File and Directory Discovery Searches for files and directories of interest on the victim's machine.
8 Hide Artifacts Hides files and directories to evade detection.
9 Hijack Execution Flow Employs DLL side-loading and DLL search order hijacking.
10 Ingress Tool Transfer Transfers additional tools or payloads into the victim’s environment.
11 Input Capture Uses keylogging to capture user input.
12 Masquerading Disguises tasks or services and matches legitimate names or locations to blend in.
13 Modify Registry Alters the Windows Registry for various purposes.
14 Native API Uses native API calls for various malicious activities.
15 Network Share Discovery Searches for network shares in the victim environment.
16 Non-Application Layer Protocol Utilizes non-standard protocols for communication.
17 Obfuscated Files or Information Obfuscates files to evade detection.
18 Process Discovery Identifies processes running on the victim’s system.
19 Query Registry Queries the Windows Registry to gather information.
20 Screen Capture Captures screenshots of the victim’s screen.
21 System Network Connections Discovery Discovers network connections and related information.
22 Trusted Developer Utilities Proxy Execution Uses MSBuild for proxy execution.
23 Virtualization/Sandbox Evasion Employs checks to evade detection in virtualized or sandboxed environments.
24 Web Service Uses dead drop resolvers for communication.

Software Used by DragonOK
...

No. Software Purpose
1 PlugX (S0013) A multifunctional backdoor used for remote control and data exfiltration.
2 PoisonIvy (S0012) A well-known remote access tool with capabilities like keylogging, screen capture, and process injection.

🌏 Earth Lusca - Group Overview 🇨🇳
...

📜 Description:
...

Earth Lusca is a suspected China-based cyber espionage group 🇨🇳, active since at least April 2019 📆. The group is known for targeting a wide range of organizations globally 🌐, including government institutions 🏛️, news media 📰, gambling companies 🎰, educational institutions 🏫, COVID-19 research organizations 🦠, telecommunications 📡, religious movements banned in China 🚫, and cryptocurrency trading platforms 💱. Some of Earth Lusca's operations appear to be financially motivated 💰.

💡 Motivation:
...

The primary motivation of Earth Lusca seems to be cyber espionage 🕵️, with a focus on gathering sensitive information 📄. The group's targeting of a diverse set of sectors indicates a broad set of interests, possibly extending beyond traditional espionage to include financial gains 💹.

📛 Names:
...

Earth Lusca is the primary name for the group 🏷️. It is also associated with TAG-22.

🌍 Location:
...

While the group is suspected to be based in China 🇨🇳, its operations are global 🌏, affecting countries across multiple continents 🌐.

📅 First Seen:
...

Earth Lusca's activities were first observed in April 2019 📆.

👀 Observed:
...

The group has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors worldwide 🏢.

Techniques Used in all tactics
...

Earth Lusca employs a variety of techniques, including but not limited to:

No. Technique Description
1 Abuse Elevation Control Mechanism Utilizes the Fodhelper UAC bypass technique.
2 Account Manipulation Drops SSH-authorized keys for server access.
3 Acquire Infrastructure Registers domains and acquires servers and web services for operations.
4 Active Scanning Scans for vulnerabilities in public-facing servers.
5 Archive Collected Data Uses WinRAR for data compression before exfiltration.
6 Boot or Logon Autostart Execution Adds keys to the Registry for persistence.
7 Command and Scripting Interpreter Employs PowerShell, Visual Basic, Python, and JavaScript for various tasks.
8 Compromise Infrastructure Compromises web servers and web services.
9 Create or Modify System Process Creates Windows services for persistence.
10 Deobfuscate/Decode Files or Information Uses certutil for decoding.
11 Domain Trust Discovery Utilizes Nltest for domain controller information.
12 Drive-by Compromise Conducts watering hole attacks.
13 Exfiltration Over Web Service Utilizes cloud storage for data exfiltration.
14 Exploit Public-Facing Application Exploits vulnerabilities in servers like Microsoft Exchange and Oracle GlassFish.
15 Exploitation of Remote Services Uses Mimikatz for exploiting domain controllers.
16 Hijack Execution Flow Employs DLL side-loading techniques.
17 Masquerading Matches legitimate names or locations for disguising activities.
18 Modify Registry Alters the Registry for various purposes.
19 Obfuscated Files or Information Uses Base64 encoding and steganography.
20 Obtain Capabilities Acquires malware and tools for operations.
21 OS Credential Dumping Uses tools like ProcDump and Mimikatz for credential dumping.
22 Phishing Sends spearphishing emails with malicious links.
23 Process Discovery Utilizes Tasklist for process information.
24 Proxy Adopts Cloudflare for proxying compromised servers.
25 Remote System Discovery Uses PowerShell and scanning tools for system discovery.
26 Scheduled Task/Job Creates scheduled tasks for persistence.
27 Stage Capabilities Stages malware on compromised servers and web services.
28 System Binary Proxy Execution Uses mshta.exe for executing scripts.
29 System Network Configuration Discovery Employs ipconfig for network information.
30 System Network Connections Discovery Uses scripts and netstat for network connection info.
31 System Owner/User Discovery Collects user account information.

Software Used by Earth Lusca
...

No. Software Description
1 certutil (S0160) Used for data archiving and decoding.
2 Cobalt Strike (S0154) A sophisticated exploitation tool used for network reconnaissance and data exfiltration.
3 Mimikatz (S0002) A well-known tool used for credential dumping.
4 NBTscan (S0590) Utilized for network service discovery.
5 Nltest (S0359) Employed for domain trust discovery.
6 PowerSploit (S0194) A collection of Microsoft PowerShell modules used for various tasks in a network attack.
7 ShadowPad (S0596) Malware used for network infiltration and data extraction.
8 Tasklist (S0057) Used for process discovery.
9 Winnti for Linux (S0430) A Linux variant of the Winnti malware, used for persistent access and data exfiltration.

🌳 Elderwood - Group Overview 🇨🇳
...

📜 Description:
...

Elderwood is a cyber espionage group, suspected to be based in China 🇨🇳, known for its involvement in the 2009 Google intrusion, dubbed Operation Aurora. The group has targeted a diverse array of entities 🌐, including defense organizations 🛡️, supply chain manufacturers 🏭, human rights and nongovernmental organizations (NGOs) 🕊️, and IT service providers 💼.

💡 Motivation:
...

Elderwood's primary motivation appears to be espionage 🕵️, with a focus on stealing sensitive information 📄 from a variety of high-value targets that align with strategic interests 🌍.

📛 Names:
...

The group is known as Elderwood 🏷️, and it has been associated with other names 🏷️ including Elderwood Gang, Beijing Group, and Sneaky Panda.

🌍 Location:
...

Elderwood is suspected to be operating out of China 🇨🇳.

📅 First Seen:
...

The group's activities were notably recognized during the Operation Aurora in 2009 📆.

👀 Observed:
...

Elderwood has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors globally 🏢.

Techniques Used in all tactics
...

Elderwood employs various techniques, including:

Technique Description
Drive-by Compromise Injecting malicious code into public web pages visited by targets.
Exploitation for Client Execution Using endpoint software vulnerabilities and zero-day exploits.
Ingress Tool Transfer Utilizing the Ritsol backdoor trojan to download files onto compromised hosts.
Obfuscated Files or Information Encrypting documents and executables.
Software Packing Packing malware payloads before delivery.
Phishing Spearphishing with attachments and links to deliver exploits and malware.
User Execution Leveraging spearphishing to get users to open links and attachments.

Software Used by Elderwood
...

Elderwood has used a range of software tools, including:

Software Description
Briba (S0204) Utilizes various techniques for execution and persistence.
Hydraq (S0203) A sophisticated backdoor with data exfiltration and process discovery capabilities.
Linfo (S0211) Capable of command execution, data collection, and scheduled data transfer.
Naid (S0205) Used for service creation and network information gathering.
Nerex (S0210) Employs code signing to subvert trust controls.
Pasam (S0208) Collects data from local systems and performs file and directory discovery.
PoisonIvy (S0012) A well-known backdoor with keylogging and data exfiltration capabilities.
Vasport (S0207) Used for proxying and data ingress.
Wiarp (S0206) Executes commands and injects processes.

🔥 Ember Bear - Group Overview 🇷🇺
...

📜 Description:
...

Ember Bear is a cyber espionage group suspected to be sponsored by the Russian state 🇷🇺. Active since at least March 2021 📆, the group has primarily focused on operations against Ukraine 🇺🇦 and Georgia 🇬🇪. They have also targeted Western European 🌍 and North American 🌎 foreign ministries 🏛️, pharmaceutical companies 💊, and financial sector organizations 💰. Ember Bear is believed to have conducted the WhisperGate destructive wiper attacks 🌪️ against Ukraine in early 2022.

💡 Motivation:
...

The primary motivation of Ember Bear appears to be state-sponsored espionage 🕵️, with a focus on geopolitical intelligence gathering 🌍 and potentially causing disruption in targeted regions 🌐.

📛 Names:
...

Ember Bear is also known as Saint Bear 🐻, UNC2589, UAC-0056, Lorec53, Lorec Bear, and Bleeding Bear 🏷️.

🌍 Location:
...

The group is suspected to be based in Russia 🇷🇺.

📅 First Seen:
...

Ember Bear's activities were first identified in March 2021 📆.

👀 Observed:
...

The group has been observed targeting a range of entities in Ukraine 🇺🇦, Georgia 🇬🇪, Western Europe 🌍, North America 🌎, and other regions 🌐, with a focus on government 🏛️, pharmaceutical 💊, and financial sectors 💰.

Techniques Used in all tactics
...

Ember Bear employs various techniques, including:

Technique Description
Command and Scripting Interpreter Using PowerShell, Windows Command Shell, and JavaScript for execution.
Exploitation for Client Execution Exploiting Microsoft Office vulnerabilities.
Impair Defenses Disabling Windows Defender and other security tools.
Ingress Tool Transfer Downloading malicious code.
Modify Registry Altering registry keys for persistence and evasion.
Obfuscated Files or Information Employing binary padding, software packing, and command obfuscation.
Phishing Spearphishing with attachments and links.
Subvert Trust Controls Using stolen certificates for payload signing.
System Binary Proxy Execution Leveraging control panel files for execution.
User Execution Luring users to click on malicious links or files.
Web Service Using Discord's CDN for malware delivery.

Software Used by Ember Bear
...

Ember Bear utilizes various software tools, including:

  1. OutSteel (S1017): A document stealer and phishing tool.
  2. Saint Bot (S1018): A downloader with capabilities like UAC bypass and process injection.
  3. WhisperGate (S0689): A destructive wiper tool used in attacks against Ukraine.

🔍 Equation - Group Overview 🌐
...

📜 Description:
...

Equation is a highly sophisticated cyber threat group known for its advanced techniques and capabilities 🔒. The group is particularly notable for its use of zero-day exploits 🛡️ and its unique ability to overwrite the firmware of hard disk drives 💾, making their attacks extremely stealthy and persistent 🕵️.

💡 Motivation:
...

While the specific motivations of Equation are not explicitly detailed in the available information 🤐, their advanced capabilities and the nature of their operations suggest a focus on cyber espionage 📄 and intelligence gathering 🌍.

📛 Names:
...

The group is primarily known as Equation 🏷️.

🌍 Location:
...

The specific location of Equation is not publicly disclosed or identified in the available sources 🌐.

📅 First Seen:
...

Equation's activities were first identified and reported by Kaspersky Lab's Global Research and Analysis Team in February 2015 📆.

👀 Observed:
...

Equation has been observed employing sophisticated techniques and tools 🛠️, targeting a range of systems and devices with advanced malware 🦠.

Techniques Used in all tactics
...

Equation employs a variety of advanced techniques, including:

  1. Execution Guardrails: Environmental Keying (T1480.001): Utilizing environmental keying in payload delivery to ensure that their malware executes only in specific environments.
  2. Hide Artifacts: Hidden File System (T1564.005): Using an encrypted virtual file system stored in the Windows Registry for stealth.
  3. Peripheral Device Discovery (T1120): Searching for specific information about attached hard drives, potentially to identify and overwrite firmware.
  4. Pre-OS Boot: Component Firmware (T1542.002): Demonstrating the capability to overwrite the firmware on hard drives from certain manufacturers.

Software Used by Equation
...

While specific software tools used by Equation are not detailed in the provided information, their known capabilities suggest the use of highly sophisticated malware, including:

  • Malware capable of firmware manipulation.
  • Tools for environmental keying and hidden file systems.
  • Advanced malware leveraging zero-day exploits.

EXOTIC LILY - Group Overview
...

Description:
...

EXOTIC LILY is a financially motivated cyber threat group, closely associated with Wizard Spider. The group is known for deploying ransomware, including Conti and Diavol. EXOTIC LILY is believed to act as an initial access broker for other malicious actors. Since at least September 2021, they have targeted various industries, including IT, cybersecurity, and healthcare.

Motivation:
...

The primary motivation of EXOTIC LILY appears to be financial gain. Their activities suggest a focus on ransomware deployment and possibly selling access to compromised systems to other threat actors.

Names:
...

The group is primarily known as EXOTIC LILY.

Location:
...

EXOTIC LILY's specific location is not mentioned, but they have targeted organizations globally.

First Seen:
...

Their activities were first observed in September 2021.

Observed:
...

EXOTIC LILY has been observed using sophisticated phishing techniques, exploiting vulnerabilities, and leveraging various tools for initial access and payload delivery.

Techniques Used in all tactics
...

EXOTIC LILY employs a range of techniques, including:

  1. Acquire Infrastructure: Domains (T1583.001): Registering domains to spoof targeted organizations.
  2. Establish Accounts: Social Media and Email Accounts (T1585.001, .002): Creating social media profiles and email accounts for impersonation.
  3. Exploitation for Client Execution (T1203): Using malicious documents with exploits.
  4. Gather Victim Identity Information: Email Addresses (T1589.002): Collecting email addresses through open-source research.
  5. Phishing: Spearphishing Attachment and Link (T1566.001, .002): Conducting email campaigns with malicious attachments and links.
  6. Search Closed Sources and Open Websites/Domains (T1597, T1593.001): Utilizing business databases and social media for information gathering.
  7. Stage Capabilities: Upload Malware (T1608.001): Uploading malicious payloads to file-sharing services.
  8. User Execution: Malicious Link and File (T1204.001, .002): Luring users to execute malicious payloads.
  9. Web Service (T1102): Using file-sharing services for payload delivery.

Software Used by EXOTIC LILY
...

EXOTIC LILY is known to use several software tools, including:

  1. Bazar (S0534): A backdoor used for various malicious activities, including data exfiltration and command execution.
  2. Bumblebee (S1039): A loader and backdoor capable of bypassing user account control and executing malicious code.

Ferocious Kitten - Group Overview
...

Description:
...

Ferocious Kitten is a cyber threat group known for its covert surveillance activities targeting Persian-speaking individuals in Iran. The group has been active since at least 2015 and is noted for its use of sophisticated cyber espionage tactics.

Motivation:
...

The primary motivation of Ferocious Kitten appears to be intelligence gathering and surveillance, particularly focusing on individuals within Iran.

Names:
...

The group is primarily known as Ferocious Kitten.

Location:
...

While the specific location of Ferocious Kitten is not detailed, their primary target region is Iran.

First Seen:
...

Their activities were first observed in 2015.

Observed:
...

Ferocious Kitten has been observed employing various cyber espionage techniques, including spearphishing, domain masquerading, and the use of open-source tools for malicious purposes.

Techniques Used in all tactics
...

Ferocious Kitten employs a range of techniques, including:

  1. Acquire Infrastructure: Domains (T1583.001): Acquiring domains that imitate legitimate sites.
  2. Masquerading: Right-to-Left Override (T1036.002): Using right-to-left override to disguise executable file names.
  3. Masquerading: Match Legitimate Name or Location (T1036.005): Naming malicious files as update.exe and placing them in common folders.
  4. Obtain Capabilities: Tool (T1588.002): Utilizing open-source tools like JsonCPP and Psiphon.
  5. Phishing: Spearphishing Attachment (T1566.001): Conducting spearphishing campaigns with malicious document attachments.
  6. User Execution: Malicious File (T1204.002): Convincing victims to enable malicious content within spearphishing emails.

Software Used by Ferocious Kitten
...

Ferocious Kitten is known to use several software tools, including:

  1. BITSAdmin (S0190): Utilizing BITS jobs for various purposes, including exfiltration and tool transfer.
  2. MarkiRAT (S0652): A RAT with capabilities like capturing clipboard data, keylogging, screen capture, and more.

FIN10 - Group Overview
...

Description:
...

FIN10 is a financially motivated threat group that has been active since at least 2013, primarily targeting organizations in North America. The group is known for using stolen data exfiltrated from victims to extort organizations.

Motivation:
...

FIN10's primary motivation appears to be financial gain, achieved through cyber extortion and other financially motivated cybercrimes.

Names:
...

The group is commonly referred to as FIN10.

Location:
...

While specific details about the group's location are not provided, their primary targets have been organizations in North America.

First Seen:
...

FIN10's activities were first observed in 2013.

Observed:
...

FIN10 has been observed employing a variety of techniques for extortion, data theft, and maintaining access to victim networks.

Techniques Used in all tactics
...

  1. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): FIN10 has used the Registry option in PowerShell Empire to add a Run key for persistence.
  2. Command and Scripting Interpreter: PowerShell (T1059.001): The group uses PowerShell for execution and to establish persistence with PowerShell Empire.
  3. Command and Scripting Interpreter: Windows Command Shell (T1059.003): Execution of malicious .bat files containing PowerShell commands.
  4. Indicator Removal: File Deletion (T1070.004): Use of batch scripts and scheduled tasks to delete critical system files.
  5. Lateral Tool Transfer (T1570): Deployment of Meterpreter stagers and SplinterRAT after moving laterally.
  6. Obtain Capabilities: Tool (T1588.002): Reliance on publicly-available software for initial footholds and persistence.
  7. Remote Services: Remote Desktop Protocol (T1021.001): Use of RDP for lateral movement.
  8. Scheduled Task/Job: Scheduled Task (T1053.005): Establishing persistence using S4U tasks and Scheduled Task option in PowerShell Empire.
  9. System Owner/User Discovery (T1033): Enumeration of users on remote systems using Meterpreter.
  10. Valid Accounts (T1078): Use of stolen credentials for remote access and lateral movement.

Software Used by FIN10
...

  • Empire (S0363): A post-exploitation framework used for various purposes, including persistence, privilege escalation, and lateral movement.

FIN13 - Group Overview
...

Description:
...

FIN13 is a financially motivated cyber threat group that has been active since at least 2016. The group primarily targets the financial, retail, and hospitality industries in Mexico and Latin America. FIN13 is known for stealing intellectual property, financial data, mergers and acquisition information, or personally identifiable information (PII).

Motivation:
...

The primary motivation of FIN13 is financial gain, achieved through intellectual property theft, financial data exfiltration, and potentially other forms of cybercrime.

Names:
...

FIN13 is also associated with the name Elephant Beetle.

Location:
...

While specific details about the group's location are not provided, their primary targets have been organizations in Mexico and Latin America.

First Seen:
...

FIN13's activities were first observed in 2016.

Observed:
...

FIN13 has been observed employing a variety of techniques for data theft, maintaining access to victim networks, and conducting financial theft.

Techniques Used in all tactics
...

  1. Access Token Manipulation: Make and Impersonate Token (T1134.003): Utilizing tools like Incognito V2 for token manipulation.
  2. Account Discovery (T1087): Enumerating users and roles from victim systems.
  3. Account Manipulation (T1098): Assigning sysadmin roles to new accounts for persistence.
  4. Application Layer Protocol: Web Protocols (T1071.001): Using HTTP requests for web shell chaining and C2 communication.
  5. Archive Collected Data: Archive via Utility (T1560.001): Compressing stolen credentials using 7zip.
  6. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Using Windows Registry run keys for persistence.
  7. Command and Scripting Interpreter: PowerShell (T1059.001): Executing PowerShell commands for DNS data extraction.
  8. Command and Scripting Interpreter: Windows Command Shell (T1059.003): Leveraging cmd.exe and Windows Script Host for command execution.
  9. Create Account: Local Account (T1136.001): Creating local MS-SQL accounts in compromised networks.
  10. Data from Local System (T1005): Gathering stolen credentials and sensitive data for exfiltration.
  11. Data Manipulation (T1565): Injecting fraudulent transactions to siphon off money.
  12. Data Staged: Local Data Staging (T1074.001): Using temporary folders on compromised systems for staging data.
  13. Deobfuscate/Decode Files or Information (T1140): Using certutil to decode base64 encoded malware.
  14. Develop Capabilities: Malware (T1587.001): Utilizing custom malware for persistence.
  15. Exploit Public-Facing Application (T1190): Exploiting known vulnerabilities for initial access.
  16. External Remote Services (T1133): Gaining access via corporate VPNs.
  17. File and Directory Discovery (T1083): Enumerating files and directories using Windows dir command.
  18. Financial Theft (T1657): Observing victim's software and infrastructure for fraudulent transactions.
  19. Gather Victim Identity Information (T1589): Researching employees for social engineering attacks.
  20. Gather Victim Network Information: Network Topology (T1590.004): Searching for remote access infrastructure.
  21. Hide Artifacts: Hidden Files and Directories (T1564.001): Creating hidden files and folders for stealth.
  22. Hijack Execution Flow: DLL Side-Loading (T1574.002): Using side-loading techniques for malicious DLL execution.
  23. Ingress Tool Transfer (T1105): Downloading additional tools and malware.
  24. Input Capture: Keylogging (T1056.001): Logging keystrokes for privilege escalation.
  25. Masquerading (T1036): Using various masquerading techniques for stealth.
  26. Modify Authentication Process (T1556): Replacing legitimate binaries with trojanized versions.
  27. Network Service Discovery (T1046): Using tools like nmap for reconnaissance.
  28. Network Share Discovery (T1135): Executing net view commands for share enumeration.
  29. Obtain Capabilities: Tool (T1588.002): Utilizing publicly available tools like Mimikatz and Impacket.
  30. OS Credential Dumping (T1003): Dumping credentials from LSASS memory and NTDS.DIT file.
  31. Permission Groups Discovery (T1069): Enumerating users and roles from victim systems.
  32. Protocol Tunneling (T1572): Using web shells and Java tools for tunneling.
  33. Proxy: Internal Proxy (T1090.001): Utilizing internal proxy tools for communication.
  34. Remote Services: Remote Desktop Protocol (T1021.001): Accessing environments via RDS for lateral movement.
  35. Scheduled Task/Job: Scheduled Task (T1053.005): Creating scheduled tasks for persistence.
  36. Server Software Component: Web Shell (T1505.003): Utilizing web shells for remote code execution.
  37. System Information Discovery (T1082): Collecting host and network information.
  38. System Network Configuration Discovery (T1016): Using nslookup and ipconfig for network reconnaissance.
  39. Unsecured Credentials: Credentials In Files (T1552.001): Obtaining credentials from local files.
  40. Use Alternate Authentication Material: Pass the Hash (T1550.002): Executing pass the hash for lateral movement.
  41. Valid Accounts: Default Accounts (T1078.001): Leveraging default credentials for initial access.
  42. Windows Management Instrumentation (T1047): Using WMI for command execution and lateral movement.

Software Used by FIN13
...

  • certutil (S0160): Used for various purposes including data archiving and decoding.
  • Empire (S0363): A post-exploitation framework used for various purposes, including persistence, privilege escalation, and lateral movement.
  • Impacket (S0357): A collection of Python classes for working with network protocols.
  • Mimikatz (S0002): A tool to extract plaintexts passwords, hash, PIN code, and kerberos tickets from memory.

FIN4 - Group Overview
...

Description:
...

FIN4 is a financially-motivated threat group known for targeting confidential information related to the public financial market. Active since at least 2013, their primary focus has been on healthcare and pharmaceutical companies. Unlike many cyber threat groups, FIN4 does not typically use persistent malware; instead, they concentrate on capturing credentials authorized to access email and other non-public correspondence.

Motivation:
...

FIN4's primary motivation appears to be financial gain, achieved through the acquisition of sensitive information related to the stock market, particularly in the healthcare and pharmaceutical sectors.

Names:
...

FIN4 is the primary name associated with this threat group.

Location:
...

The specific location of FIN4 is not detailed in the available information.

First Seen:
...

FIN4's activities have been observed since at least 2013.

Observed:
...

FIN4 has been observed employing various techniques to capture sensitive information and credentials, often focusing on email hijacking and credential theft rather than deploying traditional malware.

Techniques Used in all tactics
...

  1. Application Layer Protocol: Web Protocols (T1071.001): FIN4 has used HTTP POST requests to transmit data.
  2. Command and Scripting Interpreter: Visual Basic (T1059.005): Utilization of VBA macros to display dialog boxes and collect credentials.
  3. Email Collection: Remote Email Collection (T1114.002): Accessing and hijacking online email communications using stolen credentials.
  4. Hide Artifacts: Email Hiding Rules (T1564.008): Creating rules in Outlook accounts to automatically delete emails containing certain keywords.
  5. Input Capture: Keylogging (T1056.001): Capturing credentials via fake login pages and a .NET-based keylogger.
  6. Input Capture: GUI Input Capture (T1056.002): Presenting spoofed Windows Authentication prompts to collect credentials.
  7. Phishing: Spearphishing Attachment (T1566.001): Using spearphishing emails with attachments containing malicious macros.
  8. Phishing: Spearphishing Link (T1566.002): Sending spearphishing emails containing malicious links.
  9. Proxy: Multi-hop Proxy (T1090.003): Using Tor to log into victims' email accounts.
  10. User Execution: Malicious Link (T1204.001): Luring victims to click malicious links in spearphishing emails.
  11. User Execution: Malicious File (T1204.002): Encouraging victims to launch malicious attachments in spearphishing emails.
  12. Valid Accounts (T1078): Using legitimate credentials to hijack email communications.

Software Used by FIN4
...

FIN4 primarily uses custom tools and techniques tailored to their specific method of operation, focusing on credential theft and email hijacking. Specific software names are not mentioned in the provided information, but their tactics involve the use of VBA macros, .NET-based keyloggers, and possibly other custom-developed tools for credential capture and email manipulation.

FIN5 - Group Overview
...

Description:
...

FIN5 is a financially motivated threat group known for targeting personally identifiable information (PII) and payment card information. Active since at least 2008, FIN5 has primarily targeted industries such as restaurants, gaming, and hotels. The group consists of actors who likely speak Russian.

Motivation:
...

FIN5's primary motivation is financial gain, achieved through the theft of sensitive personal and financial data.

Names:
...

FIN5 is the primary name associated with this threat group.

Location:
...

The specific location of FIN5 is not detailed in the available information, but the group is believed to comprise Russian-speaking actors.

First Seen:
...

FIN5's activities have been observed since at least 2008.

Observed:
...

FIN5 has been observed employing various techniques to capture sensitive information, focusing on automated collection, brute force attacks, and the use of external remote services.

Techniques Used in all tactics
...

  1. Automated Collection (T1119): FIN5 uses scripts to scan processes on all systems in the environment and automate data collection.
  2. Brute Force (T1110): Utilization of tools like GET2 Penetrator to search for remote login and hard-coded credentials.
  3. Command and Scripting Interpreter (T1059): Execution of automated scripts for scanning processes.
  4. Data Staged: Local Data Staging (T1074.001): Scripts save memory dump data in specific directories on hosts.
  5. External Remote Services (T1133): Use of legitimate VPN, Citrix, or VNC credentials for access.
  6. Indicator Removal: Clear Windows Event Logs (T1070.001) and File Deletion (T1070.004): Clearing event logs and using SDelete for cleanup.
  7. Obtain Capabilities: Tool (T1588.002): Acquisition and use of tools like a customized PsExec, pwdump, SDelete, and Windows Credential Editor.
  8. Proxy: External Proxy (T1090.002): Maintaining access via FLIPSIDE to create a proxy for backup RDP tunnel.
  9. Remote System Discovery (T1018): Using tools like Essential NetTools for network mapping.
  10. Valid Accounts (T1078): Using legitimate credentials for maintained access.

Software Used by FIN5
...

  1. FLIPSIDE: Used for protocol tunneling.
  2. PsExec: A customized version for creating accounts, modifying system processes, and lateral movement.
  3. pwdump: For dumping OS credentials.
  4. RawPOS: Employed for data collection, staging, and masquerading tasks.
  5. SDelete: Used for data destruction and indicator removal.
  6. Windows Credential Editor: For dumping credentials from LSASS memory.

FIN6 - Group Overview
...

Description:
...

FIN6 is a cybercrime group known for stealing payment card data and selling it on underground marketplaces. They have aggressively targeted and compromised Point of Sale (PoS) systems, predominantly in the hospitality and retail sectors.

Motivation:
...

FIN6 is financially motivated, focusing on the theft and sale of payment card data for profit.

Names:
...

  • FIN6
  • Associated Groups: Magecart Group 6, ITG08, Skeleton Spider

Location:
...

The specific location of FIN6 is not detailed in the available information.

First Seen:
...

FIN6's activities have been observed since at least 2016.

Observed:
...

FIN6 has been noted for its aggressive tactics in compromising PoS systems and its sophisticated methods of data exfiltration and sale.

Techniques Used in all tactics
...

  1. Access Token Manipulation (T1134): Used Metasploit’s named-pipe impersonation for privilege escalation.
  2. Account Discovery: Domain Account (T1087.002): Employed Metasploit’s PsExec NTDSGRAB module for Active Directory database access.
  3. Archive Collected Data (T1560): Compressed log files into ZIP archives before staging and exfiltration.
  4. Automated Collection (T1119): Scripted iteration through compromised PoS systems for data collection.
  5. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Established persistence for downloader tools.
  6. Brute Force: Password Cracking (T1110.002): Extracted password hashes for offline cracking.
  7. Command and Scripting Interpreter (T1059): Used for executing scripts on compromised systems.
  8. Credentials from Password Stores (T1555): Employed Stealer One credential stealer for targeting email and FTP utilities.
  9. Data from Information Repositories (T1213): Collected schemas and user accounts from SQL Server systems.
  10. Data from Local System (T1005): Gathered and exfiltrated payment card data.
  11. Data Staged: Remote Data Staging (T1074.002): Compressed data from remote systems for staging.
  12. Encrypted Channel: Asymmetric Cryptography (T1573.002): Used Plink for SSH tunnel creation.
  13. Exploitation for Privilege Escalation (T1068): Exploited Windows vulnerabilities for privilege escalation.
  14. Impair Defenses: Disable or Modify Tools (T1562.001): Deployed scripts to disable anti-virus.
  15. Indicator Removal: File Deletion (T1070.004): Removed files from victim machines.
  16. Masquerading: Masquerade Task or Service (T1036.004): Renamed services to masquerade as legitimate.
  17. Network Service Discovery (T1046): Used tools for internal network mapping and reconnaissance.
  18. Obfuscated Files or Information: Command Obfuscation (T1027.010): Encoded PowerShell commands.
  19. Obtain Capabilities: Tool (T1588.002): Acquired tools like Mimikatz and Cobalt Strike.
  20. OS Credential Dumping (T1003): Used Windows Credential Editor for LSASS memory dumping.
  21. Phishing: Spearphishing Attachment (T1566.001): Targeted victims with malicious email attachments.
  22. Protocol Tunneling (T1572): Created SSH tunnels using Plink.
  23. Remote Services: Remote Desktop Protocol (T1021.001): Used RDP for lateral movement.
  24. Scheduled Task/Job: Scheduled Task (T1053.005): Established persistence for malware.
  25. Subvert Trust Controls: Code Signing (T1553.002): Used Comodo code-signing certificates.
  26. System Services: Service Execution (T1569.002): Created services for executing encoded commands.
  27. User Execution: Malicious File (T1204.002): Lured victims to execute malicious files.
  28. Valid Accounts (T1078): Used stolen credentials for lateral movement.
  29. Web Service (T1102): Utilized Pastebin and Google Storage for hosting operations.
  30. Windows Management Instrumentation (T1047): Automated remote execution of scripts.

Software Used by FIN6
...

  1. AdFind
  2. Cobalt Strike
  3. FlawedAmmyy
  4. FrameworkPOS
  5. GrimAgent
  6. LockerGoga
  7. Maze
  8. Mimikatz
  9. More_eggs
  10. PsExec
  11. Ryuk
  12. Windows Credential Editor

FIN7 - Group Overview
...

Description:
...

FIN7 is a financially-motivated threat group that has been active since 2013. Known for targeting a wide range of industries including retail, restaurant, hospitality, and more, FIN7 is notorious for its use of point-of-sale malware and sophisticated cyber attacks. They have been linked to the use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside.

Motivation:
...

FIN7's primary motivation is financial gain, achieved through cyber attacks targeting sensitive financial data.

Names:
...

  • FIN7
  • Associated Groups: GOLD NIAGARA, ITG14, Carbon Spider

Location:
...

The specific location of FIN7 is not detailed in the available information.

First Seen:
...

FIN7's activities have been observed since at least 2013.

Observed:
...

FIN7 has been noted for its diverse targeting across various industries and its shift to big game hunting (BGH) tactics, including the use of ransomware.

Techniques Used in all tactics
...

  1. Acquire Infrastructure: Domains (T1583.001): Registered look-alike domains for phishing.
  2. Application Layer Protocol: DNS (T1071.004): Performed C2 using DNS.
  3. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Created Registry Run and RunOnce keys for persistence.
  4. Command and Scripting Interpreter (T1059): Used various scripting languages for tasks execution.
  5. Create or Modify System Process: Windows Service (T1543.003): Created new Windows services for persistence.
  6. Data Encrypted for Impact (T1486): Employed Darkside ransomware for data encryption.
  7. Develop Capabilities: Malware (T1587.001): Developed malware, including infected removable media.
  8. Event Triggered Execution: Application Shimming (T1546.011): Used application shim databases for persistence.
  9. Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002): Exfiltrated data to MEGA file sharing site.
  10. Exploitation of Remote Services (T1210): Exploited ZeroLogon vulnerability.
  11. Ingress Tool Transfer (T1105): Downloaded additional malware for execution.
  12. Inter-Process Communication: Dynamic Data Exchange (T1559.002): Used DDE in spear phishing campaigns.
  13. Masquerading: Masquerade Task or Service (T1036.004): Created tasks like "AdobeFlashSync" for persistence.
  14. Non-Standard Port (T1571): Used port-protocol mismatches for C2.
  15. Obfuscated Files or Information: Command Obfuscation (T1027.010): Employed various obfuscation techniques.
  16. Obtain Capabilities: Tool (T1588.002): Utilized tools like Cobalt Strike and PowerSploit.
  17. Phishing: Spearphishing Attachment (T1566.001): Sent spearphishing emails with malicious attachments.
  18. Remote Access Software (T1219): Used remote management tools like Atera.
  19. Remote Services: RDP, SSH, VNC (T1021): Used various remote services for lateral movement.
  20. Replication Through Removable Media (T1091): Mailed USB drives containing malware.
  21. Scheduled Task/Job: Scheduled Task (T1053.005): Created tasks for malware persistence.
  22. Screen Capture (T1113): Captured screenshots and desktop recordings.
  23. Stage Capabilities: Upload Malware (T1608.001): Staged trojanized software on Amazon S3.
  24. Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003): Used Kerberoasting for credential access.
  25. Subvert Trust Controls: Code Signing (T1553.002): Digitally signed payloads and tools.
  26. Supply Chain Compromise: Compromise Software Supply Chain (T1195.002): Gained access via software supply chain compromise.
  27. System Binary Proxy Execution: Mshta, Rundll32 (T1218.005, .011): Used system binaries for execution.
  28. System Owner/User Discovery (T1033): Collected user session information.
  29. User Execution: Malicious Link/File (T1204.001, .002): Lured victims to execute malicious content.
  30. Valid Accounts (T1078): Harvested valid credentials f