Input Capture: Keylogging
Other sub-techniques of Input Capture (4)
ID | Name |
---|---|
T1056.001 | Keylogging |
T1056.002 | GUI Input Capture |
T1056.003 | Web Portal Capture |
T1056.004 | Credential API Hooking |
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.[1] Some methods include:
- Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
- Reading raw keystroke data from the hardware buffer.
- Windows Registry modifications.
- Custom drivers.
Procedure Examples
Name | Description |
---|---|
ADVSTORESHELL |
ADVSTORESHELL can perform keylogging.[13][14] |
Agent Tesla |
Agent Tesla can log keystrokes on the victim’s machine.[49][50][51][52] |
APT28 | |
APT3 |
APT3 has used a keylogging tool that records keystrokes in encrypted files.[103] |
APT32 |
APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.[125] |
APT38 |
APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[106] |
APT39 | |
APT41 |
APT41 used a keylogger called GEARSHIFT on a target system.[93] |
Astaroth | |
Attor |
One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.[98] |
BabyShark |
BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[95] |
BADNEWS |
When it first starts, BADNEWS spawns a new thread to log keystrokes.[41][42][43] |
BadPatch | |
Bandook | |
BISCUIT | |
BlackEnergy |
BlackEnergy has run a keylogger plug-in on a victim.[77] |
Cadelspy |
Cadelspy has the ability to log keystrokes on the compromised host.[101] |
Carbanak |
Carbanak logs key strokes for configured processes and sends them back to the C2 server.[24][25] |
Cardinal RAT |
Cardinal RAT can log keystrokes.[73] |
Catchamas |
Catchamas collects keystrokes from the victim’s machine.[62] |
CHOPSTICK | |
Cobalt Strike |
Cobalt Strike can track key presses with a keylogger module.[9] |
Cobian RAT |
Cobian RAT has a feature to perform keylogging on the victim’s machine.[60] |
CosmicDuke |
CosmicDuke uses a keylogger.[66] |
DarkComet | |
Darkhotel | |
Daserf | |
Derusbi | |
DOGCALL | |
Duqu | |
DustySky |
DustySky contains a keylogger.[15] |
Empire |
Empire includes keylogging capabilities for Windows, Linux, and macOS systems.[10] |
EvilGrab | |
FakeM | |
FIN4 |
FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[113][114] |
Fysbis | |
gh0st RAT | |
GreyEnergy |
GreyEnergy has a module to harvest pressed keystrokes.[56] |
Group5 |
Malware used by Group5 is capable of capturing keystrokes.[88] |
Helminth |
The executable version of Helminth has a module to log keystrokes.[69] |
HTTPBrowser |
HTTPBrowser is capable of capturing keystrokes on victims.[59] |
Imminent Monitor |
Imminent Monitor has a keylogging module.[12] |
JPIN | |
jRAT |
jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[67][68] |
Kasidet | |
Ke3chang | |
KeyBoy |
KeyBoy installs a keylogger for intercepting credentials and keystrokes.[89] |
Kimsuky | |
Kivars |
Kivars has the ability to initiate keylogging on the infected host.[97] |
KONNI | |
Lazarus Group |
Lazarus Group malware KiloAlfa contains keylogging functionality.[104][105] |
Lokibot |
Lokibot has the ability to capture input on the compromised host via keylogging.[100] |
Machete | |
MacSpy | |
Magic Hound |
Magic Hound malware is capable of keylogging.[115] Magic Hound used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.[116] |
Matroyshka |
Matroyshka is capable of keylogging.[29][30] |
menuPass |
menuPass has used key loggers to steal usernames and passwords.[120] |
Micropsia | |
MoonWind | |
NanoCore |
NanoCore can perform keylogging on the victim’s machine.[26] |
NavRAT | |
NetTraveler |
NetTraveler contains a keylogger.[40] |
NETWIRE | |
njRAT | |
OilRig |
OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.[108][109] |
Okrum |
Okrum was seen using a keylogger tool to capture keystrokes. [99] |
OwaAuth |
OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, |
PLATINUM | |
PlugX |
PlugX has a module for capturing keystrokes per process including window titles.[20] |
PoetRAT |
PoetRAT has used a Python tool named klog.exe for keylogging.[96] |
PoisonIvy | |
PoshC2 |
PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[11] |
PowerSploit |
PowerSploit's |
Prikormka |
Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[17] |
Proton | |
Pupy |
Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.[2] |
QuasarRAT | |
Regin | |
Remcos | |
Remexi |
Remexi gathers and exfiltrates keystrokes from the machine.[83] |
Remsec | |
Revenge RAT |
Revenge RAT has a plugin for keylogging.[84][85] |
ROKRAT |
ROKRAT uses a keylogger to capture keystrokes and location of where the user is typing.[70] |
Rover | |
RTM |
RTM can record keystrokes from both the keyboard and virtual keyboard.[38][39] |
RunningRAT |
RunningRAT captures keystrokes and sends them back to the C2 server.[45] |
Sandworm Team |
Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[124] |
Sowbug | |
SslMM |
SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.[47] |
Stolen Pencil |
Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{{txt,log}}. [119] |
Sykipot |
Sykipot contains keylogging functionality to steal passwords.[19] |
TajMahal |
TajMahal has the ability to capture keystrokes on an infected host.[102] |
Threat Group-3390 |
Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[59][111][112] |
TinyZBot | |
Unknown Logger |
Unknown Logger is capable of recording keystrokes.[41] |
VERMIN | |
XAgentOSX |
XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.[53] |
yty | |
Zeus Panda |
Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.[65] |
ZxShell |
ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.[93][94] |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook
, GetKeyState
, and GetAsyncKeyState
.[1] Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.
References
- Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
- Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
- MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
- Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
- TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
- Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
- Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
- Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
- Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
- Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
- Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
- Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
- Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
- Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
- Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
- United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
- Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
- Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
- Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.