{ "type": "Domain", "indicator": "secure.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/secure.com", "alexa": "http://www.alexa.com/siteinfo/secure.com", "indicator": "secure.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2813982698, "indicator": "secure.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f486c411d421163131fe6f", "name": "2012: Malware Analysis Report", "description": "", "modified": "2026-05-01T10:56:04.377000", "created": "2026-05-01T10:56:04.377000", "tags": [], "references": [ "2012-01-04 - SpyEye Malware Borrows Zeus Trick to Mask Fraud.pdf", "2012-01-08 - Cold$eal- 'Situation is under control'.pdf", "2012-01-06 - Cracking Cold$eal 5.4.1 FWB++.pdf", "2012-01-06 - Cracking ColdSeal 5.4.1 FWB.pdf", "2012-02-15 - Merchant of Fraud Returns- Shylock Polymorphic Financial Malware Infections on the Rise.pdf", "2012-02-01 - TDL4 - Purple Haze (Pihar) Variant - sample and analysis.pdf", "2012-01-12 - Blackhole Ramnit - samples and analysis.pdf", "2012-03-16 - OSX-Imuler updated- still a threat on Mac OS X.pdf", "2012-03-26 - LUCKYCAT REDUX Inside an APT Campaign with Multiple Targets in India and Japan.pdf", "2012-03-06 - Virus Ukash Gendarmerie Absence twexx32.dll.pdf", "2012-04-05 - Darkshell DDOS Botnet Evolves With Variants.pdf", "2012-04-16 - Detailed Analysis Of Sykipot (Smartcard Proxy Variant).pdf", "2012-04-10 - OSX-FlashbackO sample and some domains.pdf", "2012-04-05 - China Hacked South Korea Over Missile Defense, U.S. Firm Says.pdf", "2012-04-10 - OSX-Flashback.O sample + some domains.pdf", "2012-04-12 - OSX-Flashback.K sample + Mac OS malware study set (30+ older samples).pdf", "2012-04-12 - OSX-Flashback.K sample and Mac OS malware study set (over 30 older samples).pdf", "2012-04-23 - BKDR_CYSXL.A.pdf", "2012-04-18 - DarkMegi rootkit - sample (distributed via Blackhole).pdf", "2012-05-31 - Flamer- A Recipe for Bluetoothache.pdf", "2012-06-06 - Tinba - Zusy - tiny banker trojan.pdf", "2012-06-04 - Small banking Trojan poses major risk.pdf", "2012-05-28 - The Flame- Questions and Answers.pdf", "2012-06-05 - Smartcard vulnerabilities in modern banking malware.pdf", "2012-06-09 - You dirty RAT! Part 1- DarkComet.pdf", "2012-06-21 - BlackShades in Syria.pdf", "2012-06-15 - You Dirty RAT! Part 2 \u2013 BlackShades NET.pdf", "2012-07-02 - Sykipot is back.pdf", "2012-06-24 - Medre.A - AutoCAD worm samples.pdf", "2012-06-21 - RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army.pdf", "2012-07-17 - Kaspersky Lab and Seculert Announce \u2018Madi,\u2019 a Newly Discovered Cyber-Espionage Campaign in the Middle East.pdf", "2012-07-17 - The Madi Attacks- Series of Social Engineering Campaigns.pdf", "2012-07-13 - Rovnix bootkit framework updated.pdf", "2012-07-26 - The Madi Campaign \u2013 Part II.pdf", "2012-07-22 - Xtreme RAT analysis.pdf", "2012-08-01 - \u201cRunForestRun\u201d, \u201cgootkit\u201d and random domain name generation.pdf", "2012-07-24 - New Apple Mac Trojan Called OSX-Crisis Discovered.pdf", "2012-07-17 - The Madi Campaign \u2013 Part I.pdf", "2012-08-01 - Inside the ICE IX bot, descendent of Zeus.pdf", "2012-08-10 - Gauss samples - Nation-state cyber-surveillance + Banking trojan.pdf", "2012-08-02 - Cridex Analysis using Volatility.pdf", "2012-08-17 - Shamoon or DistTrack.A samples.pdf", "2012-08-20 - Crisis for Windows Sneaks onto Virtual Machines.pdf", "2012-08-16 - Shamoon the Wiper \u2013 Copycats at Work.pdf", "2012-08-16 - The Shamoon Attacks.pdf", "2012-08-16 - Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel.pdf", "2012-08-22 - The first Trojan in history to steal Linux and Mac OS X passwords.pdf", "2012-08-30 - Troj-Binanen-B.pdf", "2012-09-18 - QassamCyberFighters's Pastebin.pdf", "2012-09-01 - URLZone reloaded- new evolution.pdf", "2012-09-28 - Dissecting 'Operation Ababil' - an OSINT Analysis.pdf", "2012-10-02 - Blackhole Exploit Kit \u2013 Rise and Evolution.pdf", "2012-09-06 - The Elderwood Project.pdf", "2012-09-19 - Blog Posts on Nitol.pdf", "2012-08-13 - Syrian Electronic Army.pdf", "2012-10-09 - BKDR_SARHUST.A.pdf", "2012-10-05 - Dark Comet 2- Electric Boogaloo.pdf", "2012-10-12 - New Multiplatform Backdoor Jacksbot Discovered.pdf", "2012-10-09 - SASFIS.pdf", "2012-10-13 - WORM_EMUDBOT.JP.pdf", "2012-10-07 - Cracking New PseudoRandom (runforestrun) Infector.pdf", "2012-11-01 - Tracking the 2012 Sasfis campaign.pdf", "2012-11-16 - Malware Targeting Windows 8 Uses Google Docs.pdf", "2012-11-13 - New variant of Mac Trojan discovered, targeting Tibet.pdf", "2012-11-14 - Group Photos.zip OSX-Revir - OSX-iMuler samples March 2012-November 2012.pdf", "2012-11-16 - Remote Administration Tool for Android devices.pdf", "2012-11-05 - Citadel- a cyber-criminal\u2019s ultimate weapon-.pdf", "2012-10-30 - JACKSBOT Has Some Dirty Tricks up Its Sleeves.pdf", "2012-11-27 - Threat Description- Troj-Ployx-A.pdf", "2012-11-22 - W32.Narilam \u2013 Business Database Sabotage.pdf", "2012-12-03 - Compromised library.pdf", "2012-11-25 - Parastoo Hacks IAEA.pdf", "2012-12-03 - New Mac Malware Found on Dalai Lama Related Website.pdf", "2012-11-28 - Shylock\u2019s New Trick- Evading Malware Researchers.pdf", "2012-11-29 - Inside view of Lyposit aka (for its friends) Lucky LOCKER.pdf", "2012-12-06 - Nov 2012 - W32.Narilam Sample.pdf", "2012-12-07 - Aug 2012 Backdoor.Wirenet - OSX and Linux.pdf", "2012-12-05 - The path to infection - Eye glance at the first line of -Russian Underground- - focused on Ransomware.pdf", "2012-12-07 - Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT.pdf", "2012-12-07 - Nov 2012 - Backdoor.W32.Makadocs Sample.pdf", "2012-12-12 - Analysis of VirTool-WinNT-Exforel.A rootkit.pdf", "2012-12-07 - Nov 2012 Worm Vobfus Samples.pdf", "2012-12-12 - Unpacking Dexter POS -Memory Dump Parsing- Malware.pdf", "2012-12-13 - The Dexter Malware- Getting Your Hands Dirty.pdf", "2012-11-29 - What\u2019s the Fuss with WORM_VOBFUS-.pdf", "2012-12-15 - Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1).pdf", "2012-12-19 - Win32-Spy.Ranbyus modifying Java code in RBS Ukraine systems.pdf", "2012-12-17 - Sample for Sanny - Win32.Daws in CVE-2012-0158 -ACEAN Regional Security Forum- targeting Russian companies.pdf", "2012-12-18 - Malicious Apache module used for content injection- Linux-Chapro.A.pdf", "2012-12-20 - Trojan.Stabuniq Found on Financial Institution Servers.pdf", "2012-12-15 - Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2).pdf", "2012-12-23 - Dec 2012 Dexter - POS Infostealer samples and information.pdf", "2012-12-24 - Dec 2012 Linux.Chapro - trojan Apache iframer.pdf", "2012-12-27 - Nitol botnet.pdf", "2012-12-21 - Infostealer Dexter Targets Checkout Systems.pdf", "2012-12-24 - Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan.pdf", "2012-12-29 - Attack and IE 0day Informations Used Against Council on Foreign Relations.pdf", "2012-12-26 - ZeroAccess - Sirefef Rootkit - 5 fresh samples.pdf", "Crypto -Dark Comet.pdf", "Cyberattack against Israeli and Palestinian targets.pdf", "Dark Comet.pdf", "IEXPL0RE RAT.pdf", "OSX SabPub.pdf", "Flamer C & C Server.pdf", "Ixeshe.pdf", "Shamoon.pdf", "Pest Control.pdf", "The elderwood project.pdf", "The Mirage Campaign.pdf", "The Sin Digoo Affair.pdf", "Trojan Taidoor.pdf", "Wicked Rose & NCPH Hacking Group.pdf", "Fin Fisher's Spy Kit.pdf", "LuckyCat Redux.pdf", "The Madi Infostealers.pdf", "The VOHO Campaign.pdf", "The taidoor campaign.pdf", "The HeartBeat APT Campaign.pdf", "Tibet Lurk.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 22, "IPv4": 422, "URL": 347, "domain": 373, "hostname": 452, "FileHash-MD5": 927, "FileHash-SHA1": 84, "FileHash-SHA256": 248, "CVE": 42, "IPv6": 1 }, "indicator_count": 2918, "is_author": false, "is_subscribing": null, "subscriber_count": 11, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f47e886aac3dce3a958d27", "name": "2011: Malware Analysis Report", "description": "", "modified": "2026-05-01T10:20:56.666000", "created": "2026-05-01T10:20:56.666000", "tags": [], "references": [ "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-08-27 - Morto.A.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "Duqu Trojan Questions and Answers.pdf", "Palebot trojan.pdf", "HTran.pdf", "Ghost RAT- Many faces.pdf", "Operation Shady Rat.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "The RSA Hack.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "The LURID Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1031, "domain": 435, "CVE": 13, "FileHash-MD5": 155, "FileHash-SHA1": 8, "FileHash-SHA256": 234, "IPv4": 88, "email": 9, "hostname": 1031 }, "indicator_count": 3004, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f4745a4a136663c5865859", "name": "2007: Malware Analysis Report", "description": "", "modified": "2026-05-01T09:37:27.211000", "created": "2026-05-01T09:37:27.211000", "tags": [], "references": [ "2007-10-31 - Trojan.Bayrob Strikes Again!.pdf", "2007-11-01 - Spam from the kernel.pdf", "2007-12-04 - Inside the Ron Paul Spam Botnet.pdf", "2007-01-09 - A Rustock-ing Stuffer.pdf", "2007-12-16 - Pushdo - Analysis of a Modern Malware Distribution System.pdf", "2007-04-03 - A Case Study of the Rustock Rootkit and Spam Bot.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 17, "IPv4": 1, "URL": 27, "email": 2, "FileHash-SHA256": 2 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 11, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-01T08:53:34.200000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "IPv4": 1630, "IPv6": 2, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 20034, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2012-11-14 - Group Photos.zip OSX-Revir - OSX-iMuler samples March 2012-November 2012.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-11-16 - Introducing LogPOS.pdf", "Behind the syria conflict.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2012-02-01 - TDL4 - Purple Haze (Pihar) Variant - sample and analysis.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-02-15 - Carbanak.pdf", "2012-12-15 - Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2).pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2012-12-27 - Nitol botnet.pdf", "IEXPL0RE RAT.pdf", "APT 28.pdf", "2012-12-03 - New Mac Malware Found on Dalai Lama Related Website.pdf", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "Duqu Trojan Questions and Answers.pdf", "Agent.BTZ to ComRAT.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "2015-01-13 - New Carberp variant heads down under.pdf", "Attacks against Israeli & Palestinian interests.pdf", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "Ixeshe.pdf", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2012-08-02 - Cridex Analysis using Volatility.pdf", "The RSA Hack.pdf", "https://www.varonis.com/blog/hive-ransomware-analysis", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "Casper Malware.pdf", "2012-08-01 - Inside the ICE IX bot, descendent of Zeus.pdf", "2007-12-16 - Pushdo - Analysis of a Modern Malware Distribution System.pdf", "2012-03-16 - OSX-Imuler updated- still a threat on Mac OS X.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "APT 28 (1).pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "The HeartBeat APT Campaign.pdf", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2012-03-26 - LUCKYCAT REDUX Inside an APT Campaign with Multiple Targets in India and Japan.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2012-12-18 - Malicious Apache module used for content injection- Linux-Chapro.A.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2012-12-17 - Sample for Sanny - Win32.Daws in CVE-2012-0158 -ACEAN Regional Security Forum- targeting Russian companies.pdf", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "2011-04-16 - Troj-Sasfis-O.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "The VOHO Campaign.pdf", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2012-07-17 - The Madi Attacks- Series of Social Engineering Campaigns.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-09-01 - Fancy Bear.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2012-07-26 - The Madi Campaign \u2013 Part II.pdf", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "https://cert.gov.ua/article/619229", "2015-06-17 - The Spring Dragon APT.pdf", "blog.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "2012-10-07 - Cracking New PseudoRandom (runforestrun) Infector.pdf", "2012-04-05 - Darkshell DDOS Botnet Evolves With Variants.pdf", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "2012-12-23 - Dec 2012 Dexter - POS Infostealer samples and information.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "2012-07-24 - New Apple Mac Trojan Called OSX-Crisis Discovered.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2012-12-24 - Dec 2012 Linux.Chapro - trojan Apache iframer.pdf", "2012-12-07 - Nov 2012 - Backdoor.W32.Makadocs Sample.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "2012-04-10 - OSX-Flashback.O sample + some domains.pdf", "Blue termite (1).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "Duqu 2.0 Win32K Exploit.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "2012-12-07 - Nov 2012 Worm Vobfus Samples.pdf", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://isc.sans.edu/diary/28636", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2012-12-24 - Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan.pdf", "Cmstar Downloader.pdf", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "Rocket Kitten.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "Operation Shady Rat.pdf", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2012-07-02 - Sykipot is back.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2012-12-05 - The path to infection - Eye glance at the first line of -Russian Underground- - focused on Ransomware.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2012-04-10 - OSX-FlashbackO sample and some domains.pdf", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2012-04-05 - China Hacked South Korea Over Missile Defense, U.S. Firm Says.pdf", "2007-11-01 - Spam from the kernel.pdf", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "Cyberattack against Israeli and Palestinian targets.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "2012-12-20 - Trojan.Stabuniq Found on Financial Institution Servers.pdf", "Ghost RAT- Many faces.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "Dark Comet.pdf", "2012-06-21 - BlackShades in Syria.pdf", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "The taidoor campaign.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "2012-04-18 - DarkMegi rootkit - sample (distributed via Blackhole).pdf", "2012-08-16 - Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "2012-10-13 - WORM_EMUDBOT.JP.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "Copy Kittens.pdf", "Babar or Bunny.pdf", "2012-05-31 - Flamer- A Recipe for Bluetoothache.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2012-12-15 - Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1).pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2012-01-06 - Cracking ColdSeal 5.4.1 FWB.pdf", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "2012-12-03 - Compromised library.pdf", "2012-12-19 - Win32-Spy.Ranbyus modifying Java code in RBS Ukraine systems.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "Crypto -Dark Comet.pdf", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "2015-02-20 - The DGAs of Necurs.pdf", "2012-11-16 - Malware Targeting Windows 8 Uses Google Docs.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "2015-03-03 - C99Shell not dead.pdf", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "2012-06-21 - RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "Tibet Lurk.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "Demonstrating Hustle.pdf", "2012-09-18 - QassamCyberFighters's Pastebin.pdf", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "2015-03-10 - The DGA of Pykspa.pdf", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "2007-01-09 - A Rustock-ing Stuffer.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2012-01-08 - Cold$eal- 'Situation is under control'.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "2015-06-24 - UnFIN4ished Business.pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2012-06-05 - Smartcard vulnerabilities in modern banking malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "APT group ups targets us gov.pdf", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2012-11-25 - Parastoo Hacks IAEA.pdf", "Wicked Rose & NCPH Hacking Group.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "2012-05-28 - The Flame- Questions and Answers.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "The LURID Downloader.pdf", "2015-02-27 - ScanBox Framework.pdf", "2012-08-10 - Gauss samples - Nation-state cyber-surveillance + Banking trojan.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2012-11-05 - Citadel- a cyber-criminal\u2019s ultimate weapon-.pdf", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "OSX SabPub.pdf", "2012-10-09 - BKDR_SARHUST.A.pdf", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "Shamoon.pdf", "2012-09-01 - URLZone reloaded- new evolution.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2012-11-01 - Tracking the 2012 Sasfis campaign.pdf", "Black Energy.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "Flamer C & C Server.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2012-07-17 - Kaspersky Lab and Seculert Announce \u2018Madi,\u2019 a Newly Discovered Cyber-Espionage Campaign in the Middle East.pdf", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2012-04-12 - OSX-Flashback.K sample and Mac OS malware study set (over 30 older samples).pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2012-02-15 - Merchant of Fraud Returns- Shylock Polymorphic Financial Malware Infections on the Rise.pdf", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2012-12-26 - ZeroAccess - Sirefef Rootkit - 5 fresh samples.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "Dukes.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2012-08-30 - Troj-Binanen-B.pdf", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://isc.sans.edu/diary/rss/26862", "2015-12-08 - VT Report for SmartEyes.pdf", "2012-08-17 - Shamoon or DistTrack.A samples.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "https://asec.ahnlab.com/en/31811/", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "2012-12-12 - Analysis of VirTool-WinNT-Exforel.A rootkit.pdf", "The Madi Infostealers.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "2012-08-20 - Crisis for Windows Sneaks onto Virtual Machines.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "2007-04-03 - A Case Study of the Rustock Rootkit and Spam Bot.pdf", "2012-01-06 - Cracking Cold$eal 5.4.1 FWB++.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "Wild Neutron.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "Fin Fisher's Spy Kit.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2012-12-06 - Nov 2012 - W32.Narilam Sample.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2012-11-13 - New variant of Mac Trojan discovered, targeting Tibet.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "2015-10-15 - Archivist.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "2012-08-13 - Syrian Electronic Army.pdf", "Afghan Government Compromise - Browser Beware.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "https://isc.sans.edu/diary/rss/28752", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "2015-10-13 - I am HDRoot! Part 2.pdf", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2012-03-06 - Virus Ukash Gendarmerie Absence twexx32.dll.pdf", "https://securelist.com/apt-luminousmoth/103332/", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Dino.pdf", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "2011-12-08 - The Sykipot Attacks.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "BBSRAT Roaming Tiger.pdf", "2012-06-06 - Tinba - Zusy - tiny banker trojan.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-08-19 - Antak WebShell.pdf", "APT CVE-2015-5119.pdf", "2012-04-16 - Detailed Analysis Of Sykipot (Smartcard Proxy Variant).pdf", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "Duke cloud Linux (1).pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2012-10-05 - Dark Comet 2- Electric Boogaloo.pdf", "Goldfish Phishing.pdf", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "Pest Control.pdf", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "2015-05-14 - The Naikon APT.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2012-08-16 - The Shamoon Attacks.pdf", "2012-12-21 - Infostealer Dexter Targets Checkout Systems.pdf", "https://cyber.wtf/2022/03/23/what-the-packer/", "2007-10-31 - Trojan.Bayrob Strikes Again!.pdf", "LuckyCat Redux.pdf", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "2012-08-16 - Shamoon the Wiper \u2013 Copycats at Work.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "The Mirage Campaign.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "Black Vine.pdf", "2012-06-09 - You dirty RAT! Part 1- DarkComet.pdf", "Indicators of Compormise Hellsing.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "2012-12-07 - Aug 2012 Backdoor.Wirenet - OSX and Linux.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "https://thedfirreport.com/2020/10/08/ryuks-return/", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2012-11-16 - Remote Administration Tool for Android devices.pdf", "2012-10-30 - JACKSBOT Has Some Dirty Tricks up Its Sleeves.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "The Sin Digoo Affair.pdf", "https://asec.ahnlab.com/en/34549/", "Apt 28 (2).pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2012-04-12 - OSX-Flashback.K sample + Mac OS malware study set (30+ older samples).pdf", "Trojan Taidoor.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "2007-12-04 - Inside the Ron Paul Spam Botnet.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "2012-09-06 - The Elderwood Project.pdf", "Attacks on France TV5 Monde.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "The elderwood project.pdf", "2012-09-19 - Blog Posts on Nitol.pdf", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "2015-09-11 - CSI MacMark- Janicab.pdf", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "Trojan Skelky.pdf", "https://cert.gov.ua/article/37704", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "HTran.pdf", "Babar.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "Animals in the APT Farm.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "2012-11-22 - W32.Narilam \u2013 Business Database Sabotage.pdf", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "2011-08-04 - Analysis of ngrBot.pdf", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "2012-11-28 - Shylock\u2019s New Trick- Evading Malware Researchers.pdf", "2011-08-27 - Morto.A.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2012-11-29 - What\u2019s the Fuss with WORM_VOBFUS-.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "2011-05-19 - Win32-Expiro.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "Anthem hack all roads lead to China.pdf", "2012-04-23 - BKDR_CYSXL.A.pdf", "Duqu 2.0 Yara rules.pdf", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-03-28 - UACME.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "https://cert.gov.ua/article/703548", "2012-06-24 - Medre.A - AutoCAD worm samples.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://istrosec.com/blog/apt-sk-cobalt/", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "Emdivi.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-08-18 - ransomware open-sources.pdf", "2012-10-02 - Blackhole Exploit Kit \u2013 Rise and Evolution.pdf", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "https://isc.sans.edu/diary/rss/27618", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "2012-11-27 - Threat Description- Troj-Ployx-A.pdf", "2015-04-15 - Betabot retrospective.pdf", "2012-12-13 - The Dexter Malware- Getting Your Hands Dirty.pdf", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "Duke cloud Linux.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2012-01-12 - Blackhole Ramnit - samples and analysis.pdf", "2012-10-12 - New Multiplatform Backdoor Jacksbot Discovered.pdf", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "2012-07-22 - Xtreme RAT analysis.pdf", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2012-07-17 - The Madi Campaign \u2013 Part I.pdf", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "China Peace Palace.pdf", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "2012-07-13 - Rovnix bootkit framework updated.pdf", "Bookworm Trojan (1).pdf", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2012-06-04 - Small banking Trojan poses major risk.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2012-12-12 - Unpacking Dexter POS -Memory Dump Parsing- Malware.pdf", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "2012-01-04 - SpyEye Malware Borrows Zeus Trick to Mask Fraud.pdf", "2012-11-29 - Inside view of Lyposit aka (for its friends) Lucky LOCKER.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "2012-08-22 - The first Trojan in history to steal Linux and Mac OS X passwords.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2012-09-28 - Dissecting 'Operation Ababil' - an OSINT Analysis.pdf", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2012-08-01 - \u201cRunForestRun\u201d, \u201cgootkit\u201d and random domain name generation.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "https://isc.sans.edu/diary/27308", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2012-12-07 - Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT.pdf", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "2012-12-29 - Attack and IE 0day Informations Used Against Council on Foreign Relations.pdf", "Palebot trojan.pdf", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2012-10-09 - SASFIS.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-09-12 - Stuxnet code.pdf", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "2012-06-15 - You Dirty RAT! Part 2 \u2013 BlackShades NET.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Threat" ], "malware_families": [ "Cobalt strike", "Darkside", "Shadow chaser", "Win32.agent", "Microbackdoor", "Bazarloader", "Socgholish", "Conti", "Primary threat", "Fancybear", "Ransomhub", "Apt29", "Socgholish netsupport", "Threat", "Credomap", "Plugx", "Kronos", "Frp", "Doorme", "Stellarparticle", "Shadowpad", "Cyclops", "Grimplant", "Beacon", "Threat analysis", "Beaconloader", "Netsupport", "Elf", "Avoslocker", "Ryuk", "Gootloader", "Matanbuchus", "Handleref", "Cozybear", "Trickbot", "Generic.933739", "Gold blackburn", "Bumblebee", "Hades", "Pcap", "Graphsteel", "Nbtscan", "Win api", "Raspberry robin", "Win32.bitcoinminer" ], "industries": [ "Military", "Technology", "Manufacturing", "Foreign affairs", "Gas", "Energy", "Media", "Industrial", "Defense", "Pharmaceutical", "Academics", "Political", "Government", "Telecommunications", "Legal", "Diplomatic", "Financial", "Aerospace", "Transport", "Banking", "Logistics", "Transportation", "Aviation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f486c411d421163131fe6f", "name": "2012: Malware Analysis Report", "description": "", "modified": "2026-05-01T10:56:04.377000", "created": "2026-05-01T10:56:04.377000", "tags": [], "references": [ "2012-01-04 - SpyEye Malware Borrows Zeus Trick to Mask Fraud.pdf", "2012-01-08 - Cold$eal- 'Situation is under control'.pdf", "2012-01-06 - Cracking Cold$eal 5.4.1 FWB++.pdf", "2012-01-06 - Cracking ColdSeal 5.4.1 FWB.pdf", "2012-02-15 - Merchant of Fraud Returns- Shylock Polymorphic Financial Malware Infections on the Rise.pdf", "2012-02-01 - TDL4 - Purple Haze (Pihar) Variant - sample and analysis.pdf", "2012-01-12 - Blackhole Ramnit - samples and analysis.pdf", "2012-03-16 - OSX-Imuler updated- still a threat on Mac OS X.pdf", "2012-03-26 - LUCKYCAT REDUX Inside an APT Campaign with Multiple Targets in India and Japan.pdf", "2012-03-06 - Virus Ukash Gendarmerie Absence twexx32.dll.pdf", "2012-04-05 - Darkshell DDOS Botnet Evolves With Variants.pdf", "2012-04-16 - Detailed Analysis Of Sykipot (Smartcard Proxy Variant).pdf", "2012-04-10 - OSX-FlashbackO sample and some domains.pdf", "2012-04-05 - China Hacked South Korea Over Missile Defense, U.S. Firm Says.pdf", "2012-04-10 - OSX-Flashback.O sample + some domains.pdf", "2012-04-12 - OSX-Flashback.K sample + Mac OS malware study set (30+ older samples).pdf", "2012-04-12 - OSX-Flashback.K sample and Mac OS malware study set (over 30 older samples).pdf", "2012-04-23 - BKDR_CYSXL.A.pdf", "2012-04-18 - DarkMegi rootkit - sample (distributed via Blackhole).pdf", "2012-05-31 - Flamer- A Recipe for Bluetoothache.pdf", "2012-06-06 - Tinba - Zusy - tiny banker trojan.pdf", "2012-06-04 - Small banking Trojan poses major risk.pdf", "2012-05-28 - The Flame- Questions and Answers.pdf", "2012-06-05 - Smartcard vulnerabilities in modern banking malware.pdf", "2012-06-09 - You dirty RAT! Part 1- DarkComet.pdf", "2012-06-21 - BlackShades in Syria.pdf", "2012-06-15 - You Dirty RAT! Part 2 \u2013 BlackShades NET.pdf", "2012-07-02 - Sykipot is back.pdf", "2012-06-24 - Medre.A - AutoCAD worm samples.pdf", "2012-06-21 - RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army.pdf", "2012-07-17 - Kaspersky Lab and Seculert Announce \u2018Madi,\u2019 a Newly Discovered Cyber-Espionage Campaign in the Middle East.pdf", "2012-07-17 - The Madi Attacks- Series of Social Engineering Campaigns.pdf", "2012-07-13 - Rovnix bootkit framework updated.pdf", "2012-07-26 - The Madi Campaign \u2013 Part II.pdf", "2012-07-22 - Xtreme RAT analysis.pdf", "2012-08-01 - \u201cRunForestRun\u201d, \u201cgootkit\u201d and random domain name generation.pdf", "2012-07-24 - New Apple Mac Trojan Called OSX-Crisis Discovered.pdf", "2012-07-17 - The Madi Campaign \u2013 Part I.pdf", "2012-08-01 - Inside the ICE IX bot, descendent of Zeus.pdf", "2012-08-10 - Gauss samples - Nation-state cyber-surveillance + Banking trojan.pdf", "2012-08-02 - Cridex Analysis using Volatility.pdf", "2012-08-17 - Shamoon or DistTrack.A samples.pdf", "2012-08-20 - Crisis for Windows Sneaks onto Virtual Machines.pdf", "2012-08-16 - Shamoon the Wiper \u2013 Copycats at Work.pdf", "2012-08-16 - The Shamoon Attacks.pdf", "2012-08-16 - Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel.pdf", "2012-08-22 - The first Trojan in history to steal Linux and Mac OS X passwords.pdf", "2012-08-30 - Troj-Binanen-B.pdf", "2012-09-18 - QassamCyberFighters's Pastebin.pdf", "2012-09-01 - URLZone reloaded- new evolution.pdf", "2012-09-28 - Dissecting 'Operation Ababil' - an OSINT Analysis.pdf", "2012-10-02 - Blackhole Exploit Kit \u2013 Rise and Evolution.pdf", "2012-09-06 - The Elderwood Project.pdf", "2012-09-19 - Blog Posts on Nitol.pdf", "2012-08-13 - Syrian Electronic Army.pdf", "2012-10-09 - BKDR_SARHUST.A.pdf", "2012-10-05 - Dark Comet 2- Electric Boogaloo.pdf", "2012-10-12 - New Multiplatform Backdoor Jacksbot Discovered.pdf", "2012-10-09 - SASFIS.pdf", "2012-10-13 - WORM_EMUDBOT.JP.pdf", "2012-10-07 - Cracking New PseudoRandom (runforestrun) Infector.pdf", "2012-11-01 - Tracking the 2012 Sasfis campaign.pdf", "2012-11-16 - Malware Targeting Windows 8 Uses Google Docs.pdf", "2012-11-13 - New variant of Mac Trojan discovered, targeting Tibet.pdf", "2012-11-14 - Group Photos.zip OSX-Revir - OSX-iMuler samples March 2012-November 2012.pdf", "2012-11-16 - Remote Administration Tool for Android devices.pdf", "2012-11-05 - Citadel- a cyber-criminal\u2019s ultimate weapon-.pdf", "2012-10-30 - JACKSBOT Has Some Dirty Tricks up Its Sleeves.pdf", "2012-11-27 - Threat Description- Troj-Ployx-A.pdf", "2012-11-22 - W32.Narilam \u2013 Business Database Sabotage.pdf", "2012-12-03 - Compromised library.pdf", "2012-11-25 - Parastoo Hacks IAEA.pdf", "2012-12-03 - New Mac Malware Found on Dalai Lama Related Website.pdf", "2012-11-28 - Shylock\u2019s New Trick- Evading Malware Researchers.pdf", "2012-11-29 - Inside view of Lyposit aka (for its friends) Lucky LOCKER.pdf", "2012-12-06 - Nov 2012 - W32.Narilam Sample.pdf", "2012-12-07 - Aug 2012 Backdoor.Wirenet - OSX and Linux.pdf", "2012-12-05 - The path to infection - Eye glance at the first line of -Russian Underground- - focused on Ransomware.pdf", "2012-12-07 - Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT.pdf", "2012-12-07 - Nov 2012 - Backdoor.W32.Makadocs Sample.pdf", "2012-12-12 - Analysis of VirTool-WinNT-Exforel.A rootkit.pdf", "2012-12-07 - Nov 2012 Worm Vobfus Samples.pdf", "2012-12-12 - Unpacking Dexter POS -Memory Dump Parsing- Malware.pdf", "2012-12-13 - The Dexter Malware- Getting Your Hands Dirty.pdf", "2012-11-29 - What\u2019s the Fuss with WORM_VOBFUS-.pdf", "2012-12-15 - Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1).pdf", "2012-12-19 - Win32-Spy.Ranbyus modifying Java code in RBS Ukraine systems.pdf", "2012-12-17 - Sample for Sanny - Win32.Daws in CVE-2012-0158 -ACEAN Regional Security Forum- targeting Russian companies.pdf", "2012-12-18 - Malicious Apache module used for content injection- Linux-Chapro.A.pdf", "2012-12-20 - Trojan.Stabuniq Found on Financial Institution Servers.pdf", "2012-12-15 - Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2).pdf", "2012-12-23 - Dec 2012 Dexter - POS Infostealer samples and information.pdf", "2012-12-24 - Dec 2012 Linux.Chapro - trojan Apache iframer.pdf", "2012-12-27 - Nitol botnet.pdf", "2012-12-21 - Infostealer Dexter Targets Checkout Systems.pdf", "2012-12-24 - Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan.pdf", "2012-12-29 - Attack and IE 0day Informations Used Against Council on Foreign Relations.pdf", "2012-12-26 - ZeroAccess - Sirefef Rootkit - 5 fresh samples.pdf", "Crypto -Dark Comet.pdf", "Cyberattack against Israeli and Palestinian targets.pdf", "Dark Comet.pdf", "IEXPL0RE RAT.pdf", "OSX SabPub.pdf", "Flamer C & C Server.pdf", "Ixeshe.pdf", "Shamoon.pdf", "Pest Control.pdf", "The elderwood project.pdf", "The Mirage Campaign.pdf", "The Sin Digoo Affair.pdf", "Trojan Taidoor.pdf", "Wicked Rose & NCPH Hacking Group.pdf", "Fin Fisher's Spy Kit.pdf", "LuckyCat Redux.pdf", "The Madi Infostealers.pdf", "The VOHO Campaign.pdf", "The taidoor campaign.pdf", "The HeartBeat APT Campaign.pdf", "Tibet Lurk.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 22, "IPv4": 422, "URL": 347, "domain": 373, "hostname": 452, "FileHash-MD5": 927, "FileHash-SHA1": 84, "FileHash-SHA256": 248, "CVE": 42, "IPv6": 1 }, "indicator_count": 2918, "is_author": false, "is_subscribing": null, "subscriber_count": 11, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f47e886aac3dce3a958d27", "name": "2011: Malware Analysis Report", "description": "", "modified": "2026-05-01T10:20:56.666000", "created": "2026-05-01T10:20:56.666000", "tags": [], "references": [ "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-08-27 - Morto.A.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "Duqu Trojan Questions and Answers.pdf", "Palebot trojan.pdf", "HTran.pdf", "Ghost RAT- Many faces.pdf", "Operation Shady Rat.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "The RSA Hack.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "The LURID Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1031, "domain": 435, "CVE": 13, "FileHash-MD5": 155, "FileHash-SHA1": 8, "FileHash-SHA256": 234, "IPv4": 88, "email": 9, "hostname": 1031 }, "indicator_count": 3004, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f4745a4a136663c5865859", "name": "2007: Malware Analysis Report", "description": "", "modified": "2026-05-01T09:37:27.211000", "created": "2026-05-01T09:37:27.211000", "tags": [], "references": [ "2007-10-31 - Trojan.Bayrob Strikes Again!.pdf", "2007-11-01 - Spam from the kernel.pdf", "2007-12-04 - Inside the Ron Paul Spam Botnet.pdf", "2007-01-09 - A Rustock-ing Stuffer.pdf", "2007-12-16 - Pushdo - Analysis of a Modern Malware Distribution System.pdf", "2007-04-03 - A Case Study of the Rustock Rootkit and Spam Bot.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 17, "IPv4": 1, "URL": 27, "email": 2, "FileHash-SHA256": 2 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 11, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-01T08:53:34.200000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "IPv4": 1630, "IPv6": 2, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 20034, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "secure.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "secure.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780188702.3301234 }