{ "authors": [ "Davide Arcuri", "Alexandre Dulaunoy", "Steffen Enders", "Andrea Garavaglia", "Andras Iklody", "Daniel Plohmann", "Christophe Vandeplas" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", "name": "Malpedia", "source": "Malpedia", "type": "malpedia", "uuid": "1d1c9af9-37fa-4deb-a928-f9b0abc7354a", "values": [ { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", "https://github.com/fboldewin/FastCashMalwareDissected/", "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.cisa.gov/uscert/ncas/alerts/TA18-275A", "https://www.cisa.gov/uscert/ncas/alerts/aa20-239a", "https://www.youtube.com/watch?v=zGvQPtejX9w", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf", "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf", "https://www.us-cert.gov/ncas/alerts/TA18-275A", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/" ], "synonyms": [], "type": [] }, "uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02", "value": "FastCash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat", "https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/" ], "synonyms": [], "type": [] }, "uuid": "e98ae895-0831-4e10-aad1-593d1c678db1", "value": "888 RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot", "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/", "https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/", "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/", "https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://twitter.com/_icebre4ker_/status/1460527428544176128" ], "synonyms": [ "Escobar" ], "type": [] }, "uuid": "4b9c0228-2bfd-4bc7-bd64-8357a2da12ee", "value": "Aberebot" }, { "description": "According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.abstract_emu", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign", "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/" ], "synonyms": [], "type": [] }, "uuid": "57a4c8c0-140a-45e3-9166-64e3e35c5986", "value": "AbstractEmu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/", "https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html", "https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/" ], "synonyms": [ "AxeSpy" ], "type": [] }, "uuid": "5c7a35bf-e5f1-4b07-b93a-c3608cc9142e", "value": "ActionSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adobot", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://twitter.com/LukasStefanko/status/1243198756981559296" ], "synonyms": [], "type": [] }, "uuid": "d95708e9-220a-428c-b126-a63986099892", "value": "AdoBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" ], "synonyms": [], "type": [] }, "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", "value": "AdultSwine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.agentsmith", "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" ], "synonyms": [], "type": [] }, "uuid": "34770e6e-e2c3-4e45-aa86-9d74b5309773", "value": "Agent Smith" }, { "description": "According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth", "https://www.secrss.com/articles/24995", "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", "https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/", "https://securelist.com/transparent-tribe-part-2/98233/", "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w" ], "synonyms": [], "type": [] }, "uuid": "86a5bb47-ac59-449a-8ff2-ae46e19cc6d2", "value": "AhMyth" }, { "description": "According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", "https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing", "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://twitter.com/_CPResearch_/status/1603375823448317953", "https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets", "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", "https://muha2xmad.github.io/malware-analysis/alien/" ], "synonyms": [ "AlienBot" ], "type": [] }, "uuid": "de483b10-4247-46b3-8ab5-77d089f0145c", "value": "Alien" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.amextroll", "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html", "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families" ], "synonyms": [], "type": [] }, "uuid": "6b153952-9415-4710-8175-354b59252dbc", "value": "AmexTroll" }, { "description": "This malware was initially named BlackRock and later renamed to AmpleBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.amplebot", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", "https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html" ], "synonyms": [ "BlackRock" ], "type": [] }, "uuid": "2f3f82f6-ec21-489e-8257-0967c567798a", "value": "AmpleBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa", "https://twitter.com/_icebre4ker_/status/1416409813467156482", "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", "https://gbhackers.com/teabot-banking-trojan/", "https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe", "https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html", "https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign", "https://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach", "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", "https://labs.k7computing.com/?p=22407", "https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/", "https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf", "https://twitter.com/ThreatFabric/status/1394958795508523008", "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", "https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/", "https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf", "https://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store", "https://www.cleafy.com/documents/teabot" ], "synonyms": [ "ReBot", "TeaBot", "Toddler" ], "type": [] }, "uuid": "147081b9-7e59-4613-ad55-bbc08141fee1", "value": "Anatsa" }, { "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", "https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/", "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat", "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", "https://github.com/DesignativeDave/androrat" ], "synonyms": [], "type": [] }, "uuid": "80447111-8085-40a4-a052-420926091ac6", "value": "AndroRAT" }, { "description": "According to Google, a Chrome cookie stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androsnatch", "https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/" ], "synonyms": [], "type": [] }, "uuid": "8cd795ed-3a4d-41a3-abb1-0c3dd3aa4eab", "value": "ANDROSNATCH" }, { "description": "BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.\r\n\r\nIn the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:\r\n\r\nRecording screen activity and sound from the microphone\r\nImplementing a SOCKS5 proxy for covert communication and package delivery\r\nCapturing screenshots\r\nSending mass SMS messages from the device to specified recipients\r\nRetrieving contacts stored on the device\r\nSending, reading, deleting, and blocking notifications for SMS messages received by the device\r\nScanning the device for files of interest to exfiltrate\r\nLocking the device screen and displaying a persistent ransom note\r\nSubmitting USSD code requests to query bank balances\r\nCapturing GPS data and pedometer statistics\r\nImplementing a keylogger to steal credentials\r\nMonitoring active apps to mimic and perform overlay attacks\r\nStopping malicious functionality and removing the malware from the device", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", "https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb", "https://pentest.blog/n-ways-to-unpack-mobile-malware/", "https://muha2xmad.github.io/malware-analysis/anubis/", "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html", "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", "https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html", "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/", "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", "https://0x1c3n.tech/anubis-android-malware-analysis", "https://community.riskiq.com/article/85b3db8c", "https://www.youtube.com/watch?v=U0UsfO-0uJM", "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/", "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ", "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [ "BankBot", "android.bankbot", "android.bankspy" ], "type": [] }, "uuid": "85975621-5126-40cb-8083-55cbfa75121b", "value": "Anubis (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/" ], "synonyms": [], "type": [] }, "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", "value": "AnubisSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" ], "synonyms": [], "type": [] }, "uuid": "dffa06ec-e94f-4fd7-8578-2a98aace5473", "value": "Asacub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ashas", "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" ], "synonyms": [], "type": [] }, "uuid": "aabcfbb6-6385-486d-a30b-e3a2edcf493d", "value": "Ashas" }, { "description": "According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018.\r\nIT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.atank", "https://twitter.com/LukasStefanko/status/1268070798293708800" ], "synonyms": [], "type": [] }, "uuid": "231f9f49-6752-49af-9ee0-7774578fcbe4", "value": "ATANK" }, { "description": "According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.axbanker", "https://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks", "https://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.&text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20link." ], "synonyms": [], "type": [] }, "uuid": "4a854e8c-d6ad-4997-8931-b27e39b7f7fa", "value": "AxBanker" }, { "description": "BadBazaar is a type of malware primarily functioning as a banking Trojan. Designed to compromise Android devices, it is often distributed through malicious apps downloaded from unofficial app stores or third-party websites. Once installed, BadBazaar seeks to steal financial information and login credentials by intercepting SMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute remote commands and download and install other malicious applications, further compromising the security of the affected device.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badbazaar", "https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15" ], "synonyms": [], "type": [] }, "uuid": "80b30290-40d3-4ce3-a878-2e0af4b107d8", "value": "badbazaar" }, { "description": "remote access tool (RAT) payload on Android devices", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall", "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a" ], "synonyms": [], "type": [] }, "uuid": "5eec00de-5d81-4907-817d-f99cb33d9b66", "value": "BADCALL (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch", "https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/" ], "synonyms": [ "WelcomeChat" ], "type": [] }, "uuid": "9b96e274-1602-48a4-8e0d-9f756d4e835b", "value": "BadPatch" }, { "description": "According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/", "https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/", "https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ], "synonyms": [], "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke", "https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/", "https://twitter.com/LukasStefanko/status/1280243673100402690", "https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE" ], "synonyms": [], "type": [] }, "uuid": "c59b65d6-d363-4b19-b082-d72508e782c0", "value": "Basbanke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726", "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5", "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221", "https://www.youtube.com/watch?v=DPFcvSy4OZk", "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html", "https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56", "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html", "https://cryptax.medium.com/bad-zip-and-new-packer-for-android-bianlian-5bdad4b90aeb", "https://cryptax.medium.com/android-bianlian-payload-61febabed00a" ], "synonyms": [ "Hydra" ], "type": [] }, "uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc", "value": "BianLian (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bingomod", "https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data" ], "synonyms": [], "type": [] }, "uuid": "2778f61a-48e4-4585-8eff-983d5a4fd6ac", "value": "BingoMod" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.blankbot", "https://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities" ], "synonyms": [], "type": [] }, "uuid": "c4a42580-bc5e-4185-adfd-cc6ade9b8424", "value": "BlankBot" }, { "description": "According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.\r\n\r\nAt the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brasdex", "https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html" ], "synonyms": [], "type": [] }, "uuid": "dc5408e9-e9e8-44fd-ac5c-231483d0ebe3", "value": "BrasDex" }, { "description": "According to Cleafy, the victim's Android device is factory reset after the attackers siphon money from the victim's bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata", "https://www.threatfabric.com/blogs/toad-fraud", "https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat", "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", "https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again", "https://securelist.com/spying-android-rat-from-brazil-brata/92775/", "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html", "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account" ], "synonyms": [ "AmexTroll", "Copybara" ], "type": [] }, "uuid": "d9ff080d-cde0-48da-89db-53435c99446b", "value": "BRATA" }, { "description": "PRODAFT describes Brunhilda as a \"Dropper as a Service\" for Google Play, delivering e.g. Alien.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brunhilda", "https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan", "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html", "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud", "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf" ], "synonyms": [], "type": [] }, "uuid": "5d3d5f52-0a55-4c81-af87-7809ce43906b", "value": "Brunhilda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper", "https://securelist.com/busygasper-the-unfriendly-spy/87627/" ], "synonyms": [], "type": [] }, "uuid": "4bf68bf8-08e5-46f3-ade5-0bd4f124b168", "value": "BusyGasper" }, { "description": "According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat", "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/" ], "synonyms": [], "type": [] }, "uuid": "7cd1c5f3-7635-46d2-87f1-e638fb8d714c", "value": "CapraRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "56090c0b-2b9b-4624-8eff-ef6d3632fd2b", "value": "CarbonSteal" }, { "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], "type": [] }, "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", "value": "Catelites" }, { "description": "According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus", "https://twitter.com/AndroidCerberus", "https://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/", "https://github.com/ics-iot-bootcamp/cerberus_research", "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf", "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/", "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf", "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", "https://securelist.com/the-state-of-stalkerware-in-2021/106193/", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://nur.pub/cerberus-analysis", "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", "https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf", "https://community.riskiq.com/article/85b3db8c", "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus" ], "synonyms": [], "type": [] }, "uuid": "c3a2448f-bb41-4201-b524-3ddcb02ddbf4", "value": "Cerberus" }, { "description": "The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chameleon", "https://blog.cyble.com/2023/04/13/chameleon-a-new-android-malware-spotted-in-the-wild/", "https://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app", "https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" ], "synonyms": [], "type": [] }, "uuid": "90b3a256-311d-416b-b333-e02b910ba75d", "value": "Chameleon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois", "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html", "https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/" ], "synonyms": [], "type": [] }, "uuid": "2e230ff8-3971-4168-a966-176316cbdbf2", "value": "Chamois" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", "https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf", "http://blog.checkpoint.com/2017/01/24/charger-malware/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017", "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" ], "synonyms": [], "type": [] }, "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "value": "Charger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chinotto", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/" ], "synonyms": [], "type": [] }, "uuid": "6cc7b402-21cf-4510-be7d-d7f811a57bc1", "value": "Chinotto (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", "https://twitter.com/alexanderjaeger/status/1417447732030189569", "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/", "https://objective-see.com/blog/blog_0x67.html", "https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages", "https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/", "https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests", "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", "https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/", "https://nex.sx/blog/2021/08/03/the-pegasus-project.html", "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/", "https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/", "https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/", "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", "https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/", "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/", "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying", "https://citizenlab.ca/2021/07/amnesty-peer-review/", "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/", "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/", "https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto", "https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/", "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and", "https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/", "https://www.theguardian.com/news/series/pegasus-project", "https://thewire.in/tag/pegasus-project", "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20", "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/", "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/", "https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/", "https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/", "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", "https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus", "https://thewire.in/media/pegasus-project-spyware-indian-journalists", "https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus", "https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5", "https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/", "https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso", "https://media.ccc.de/v/33c3-7901-pegasus_internals", "https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/", "https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/", "https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/", "https://therecord.media/mexican-army-spyware", "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", "https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/", "https://twitter.com/billmarczak/status/1416801439402262529", "https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html", "https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat", "https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/", "https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/", "https://irpimedia.irpi.eu/sorveglianze-cy4gate/", "https://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample", "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/", "https://forbiddenstories.org/about-the-pegasus-project/", "https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure", "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html", "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1", "https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/" ], "synonyms": [ "JigglyPuff", "Pegasus" ], "type": [] }, "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", "value": "Chrysaor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", "https://twitter.com/LukasStefanko/status/1042297855602503681" ], "synonyms": [], "type": [] }, "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", "value": "Clientor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper", "https://news.drweb.com/show?lng=en&i=12739", "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", "https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html", "https://web.archive.org/web/20201107225915/https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html" ], "synonyms": [], "type": [] }, "uuid": "ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e", "value": "Clipper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cloudatlas", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware" ], "synonyms": [], "type": [] }, "uuid": "ed780667-b67c-4e17-ab43-db1b7e018e66", "value": "CloudAtlas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot", "https://twitter.com/LukasStefanko/status/1102937833071935491" ], "synonyms": [], "type": [] }, "uuid": "151bf399-aa8f-4160-b9b5-8fe222f2a6b1", "value": "CometBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" ], "synonyms": [ "SpyBanker" ], "type": [] }, "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", "value": "Connic" }, { "description": "Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot.\r\nMalicious Coper apps have a modular architecture and a multi-stage infection mechanism. Coper has originally been spotted in Colombia but has since emerged in Europa as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper", "https://x.com/cleafylabs/status/1833145006585987374", "https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/", "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html", "https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html", "https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/", "https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/", "https://blog.cyble.com/2022/03/24/coper-banking-trojan/", "https://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant", "https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/", "https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs", "https://twitter.com/_icebre4ker_/status/1541875982684094465", "https://www.domaintools.com/resources/blog/uncovering-octo2-domains/", "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "ExobotCompact", "Octo" ], "type": [] }, "uuid": "70973ef7-e031-468f-9420-d8aa4eb7543a", "value": "Coper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.copybara", "https://www.threatfabric.com/blogs/toad-fraud", "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families", "https://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign", "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html", "https://www.zscaler.com/blogs/security-research/technical-analysis-copybara" ], "synonyms": [], "type": [] }, "uuid": "e3d07fda-d29d-42e4-a0d6-5827b2d14d17", "value": "Copybara" }, { "description": "Poses as an app that can offer a \"corona safety mask\" but phone's address book and sends sms to contacts, spreading its own download link.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm", "https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan", "https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html" ], "synonyms": [], "type": [] }, "uuid": "f041032e-01af-4e66-9fb2-f8da88a6ea35", "value": "Coronavirus Android Worm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" ], "synonyms": [], "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.craxs_rat", "https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives?hl=en", "https://www.group-ib.com/blog/craxs-rat-malware/" ], "synonyms": [], "type": [] }, "uuid": "1f7a8a57-f3e2-4e4b-a4d7-8eb0ba9243c5", "value": "CraxsRAT" }, { "description": "According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.\r\n\r\nWhen CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.\r\n\r\nWhen files have been encrypted, a notification is displayed directing users to open the ransom note.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor", "https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/" ], "synonyms": [ "CryCrypter", "CryDroid" ], "type": [] }, "uuid": "21e9d7e6-6e8c-49e4-8869-6bac249cda8a", "value": "CryCryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cyber_azov", "https://twitter.com/sekoia_io/status/1554086468104196096", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [], "type": [] }, "uuid": "bb1821f9-eace-4e63-b55d-fc7821a6e5f1", "value": "CyberAzov" }, { "description": "According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.\r\n\r\nLookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.daam", "https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/", "https://www.lookout.com/blog/iranian-spyware-bouldspy" ], "synonyms": [ "BouldSpy" ], "type": [] }, "uuid": "37a3b62e-99da-47d7-81fb-78f745427b16", "value": "DAAM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades", "https://twitter.com/LukasStefanko/status/1252163657036976129" ], "synonyms": [ "Rogue" ], "type": [] }, "uuid": "97fe35c9-f50c-495f-8736-0ecd95c70192", "value": "Dark Shades" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dawdropper", "https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html" ], "synonyms": [], "type": [] }, "uuid": "bd9756da-220d-48d6-a4f5-6646558c4b30", "value": "DawDropper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id", "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "Defensor Digital" ], "type": [] }, "uuid": "76346e4d-d14e-467b-9409-82b28a4d6cd6", "value": "DEFENSOR ID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dendroid", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" ], "synonyms": [], "type": [] }, "uuid": "89989df2-e8bc-4074-a8a2-130a15d6625f", "value": "Dendroid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy", "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" ], "synonyms": [], "type": [] }, "uuid": "72a25832-4bf4-4505-a77d-8c0fc52dc85d", "value": "dmsSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "73fd1bda-e4aa-4777-a628-07580bc070f4", "value": "DoubleAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", "value": "DoubleLocker" }, { "description": "Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dracarys", "https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/" ], "synonyms": [], "type": [] }, "uuid": "bf94eee6-2274-40f4-b181-2b49ce6ef9fb", "value": "Dracarys" }, { "description": "Android variant of ios.LightSpy.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dragonegg", "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack", "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41" ], "synonyms": [ "LightSpy" ], "type": [] }, "uuid": "4ef28f14-17f4-4f87-a292-e63b42027c8c", "value": "DragonEgg" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack", "https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic" ], "synonyms": [], "type": [] }, "uuid": "8990cec7-ddd8-435e-97d6-5b36778e86fe", "value": "DroidJack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidwatcher", "https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf" ], "synonyms": [], "type": [] }, "uuid": "15f3e50b-9fa5-4eab-ac2b-928e9ce03b72", "value": "DroidWatcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", "value": "DualToy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" ], "synonyms": [], "type": [] }, "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", "value": "Dvmap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.elibomi", "https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-android-malware-targets-taxpayers-in-india/", "https://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.&text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20link." ], "synonyms": [ "Drinik" ], "type": [] }, "uuid": "63cc0b01-c92e-40e7-8669-48d10a490ffb", "value": "Elibomi" }, { "description": "According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac", "https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/", "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", "https://twitter.com/ShilpeshTrivedi/status/1709096404835356883", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", "https://twitter.com/ESETresearch/status/1445618031464357888", "https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover", "https://blog.cyble.com/2022/05/25/ermac-back-in-action/", "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html" ], "synonyms": [], "type": [] }, "uuid": "602944f4-a86c-4a05-b98f-cfb525fb8896", "value": "ERMAC" }, { "description": "ErrorFather is an Android banking trojan with a multi-stage dropper. The final payload is derived from the Cerberus source code leak.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.errorfather", "https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/" ], "synonyms": [], "type": [] }, "uuid": "2c7f6a97-4469-4f97-9a69-5549282a94a6", "value": "ErrorFather" }, { "description": "According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot", "https://twitter.com/ThreatFabric/status/1240664876558823424", "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "https://www.youtube.com/watch?v=qqwOrLR2rgU" ], "synonyms": [], "type": [] }, "uuid": "5a6fb8cd-d582-4c8c-b7e0-a5b4cf4f248f", "value": "Eventbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html", "https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/", "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/", "https://blog.cyble.com/2022/03/24/coper-banking-trojan/", "https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/", "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/", "https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/" ], "synonyms": [], "type": [] }, "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", "value": "ExoBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv", "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store", "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" ], "synonyms": [], "type": [] }, "uuid": "462bc006-b7bd-4e10-afdb-52baf86121e8", "value": "Exodus" }, { "description": "Facebook Credential Stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.facestealer", "https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html", "https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/", "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/" ], "synonyms": [], "type": [] }, "uuid": "c35ebd96-d2f8-4add-b86f-f552ed5dfa9b", "value": "FaceStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakeadblocker", "https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/" ], "synonyms": [], "type": [] }, "uuid": "d0ae2b6b-5137-4b64-be3e-4bbc9aa007a6", "value": "FakeAdBlocker" }, { "description": "According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakecalls", "https://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/", "https://research.checkpoint.com/2023/south-korean-android-banking-menace-fakecalls/" ], "synonyms": [], "type": [] }, "uuid": "014aeab6-2292-4ee5-83d6-fffb0fc21423", "value": "Fakecalls" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakedefend", "https://www.fortiguard.com/encyclopedia/virus/5543975/android-fakedefend-c-tr" ], "synonyms": [], "type": [] }, "uuid": "8ea1fc8c-ec66-4d39-b32a-da69d3277da4", "value": "FakeDefend" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681", "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html" ], "synonyms": [], "type": [] }, "uuid": "dd821edd-901b-4a5e-b35f-35bb811964ab", "value": "FakeSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram", "https://blog.talosintelligence.com/2018/11/persian-stalker.html" ], "synonyms": [ "FakeTGram" ], "type": [] }, "uuid": "6c0fc7e4-4629-494f-b471-f7a8cc47c0e0", "value": "FakeGram" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastfire", "https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f" ], "synonyms": [], "type": [] }, "uuid": "5613da3a-06f5-4363-b468-0b8a03ffc292", "value": "FastFire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastspy", "https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f" ], "synonyms": [], "type": [] }, "uuid": "a5e3e217-3790-4d7c-b67a-906b9ee69034", "value": "FastSpy" }, { "description": "According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder", "https://www.welivesecurity.com/2019/07/29/android-ransomware-back/" ], "synonyms": [], "type": [] }, "uuid": "09ff3520-b643-44bd-a0de-90c0e75ba12f", "value": "FileCoder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher", "https://github.com/linuzifer/FinSpy-Dokumentation", "https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/", "https://securelist.com/finspy-unseen-findings/104322/", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] }, "uuid": "0bf7acd4-6493-4126-9598-d2ed069e32eb", "value": "FinFisher (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", "https://mobisec.reyammer.io/slides", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", "https://twitter.com/LukasStefanko/status/886849558143279104", "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [ "gugi" ], "type": [] }, "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", "value": "FlexNet" }, { "description": "PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot", "https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/", "https://mobile.twitter.com/alberto__segura/status/1400396365759500289", "https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain", "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", "https://securityintelligence.com/posts/story-of-fakechat-malware/", "https://therecord.media/flubot-malware-gang-arrested-in-barcelona/", "https://twitter.com/malwrhunterteam/status/1359939300238983172", "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", "https://hispasec.com/resources/FedexBanker.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://twitter.com/alberto__segura/status/1395675479194095618", "https://twitter.com/alberto__segura/status/1404098461440659459", "https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/", "https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/", "https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html", "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9", "https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html", "https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users", "https://www.prodaft.com/m/reports/FluBot_4.pdf", "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones", "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://twitter.com/alberto__segura/status/1399249798063087621?s=20", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.infinitumit.com.tr/flubot-zararlisi/", "https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/", "https://twitter.com/alberto__segura/status/1402615237296148483", "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", "https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond", "https://blog.zimperium.com/flubot-vs-zimperium/", "https://twitter.com/alberto__segura/status/1384840011892285440", "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf", "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/", "https://www.ncsc.admin.ch/22w12-de", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06", "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon", "https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/", "https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027" ], "synonyms": [ "Cabassous", "FakeChat" ], "type": [] }, "uuid": "ef91833f-3334-4955-9218-f106494e9fc0", "value": "FluBot" }, { "description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fluhorse", "https://www.fortinet.com/blog/threat-research/fortinet-reverses-flutter-based-android-malware-fluhorse", "https://cryptax.medium.com/inside-kangapack-the-kangaroo-packer-with-native-decryption-3e7e054679c4", "https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/" ], "synonyms": [], "type": [] }, "uuid": "aeaeb8b2-650e-471d-a901-3c4fbae42854", "value": "FluHorse" }, { "description": "Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flytrap", "https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/" ], "synonyms": [], "type": [] }, "uuid": "24af5bcc-d4bd-42dd-aed4-f994b30b4921", "value": "FlyTrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681", "https://securelist.com/roaming-mantis-part-v/96250/", "https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html" ], "synonyms": [], "type": [] }, "uuid": "bc0d37fa-113a-45ba-8a1c-b9d818e31f27", "value": "FunkyBot" }, { "description": "According to Check Point, they uncovered an operation dubbed \"Domestic Kitten\", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball", "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html", "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", "https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/", "https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf", "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program", "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/", "https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/" ], "synonyms": [], "type": [] }, "uuid": "53282cc8-fefc-47d7-b6a5-a82a05a88f2a", "value": "FurBall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost", "https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/", "https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "b9639878-733c-4f30-9a13-4680a7e17415", "value": "Geost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghimob", "https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/" ], "synonyms": [], "type": [] }, "uuid": "3d1f2591-05fe-42f4-aaf8-ed1428f17605", "value": "Ghimob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" ], "synonyms": [], "type": [] }, "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", "value": "GhostCtrl" }, { "description": "Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim's screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gigabud", "https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/", "https://www.group-ib.com/blog/gigabud-banking-malware/" ], "synonyms": [], "type": [] }, "uuid": "8f188382-7a31-46a5-83c6-5991dfe739ee", "value": "Gigabud" }, { "description": "Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:\r\n\r\nOverlaying: Dynamic (local overlays obtained from the C2)\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nContact list collection\r\nApplication listing\r\nOverlaying: Targets list update\r\nSMS: Sending\r\nCalls: Call forwarding\r\nC2 Resilience: Auxiliary C2 list\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nSelf-protection: Emulation-detection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp", "https://twitter.com/ESETresearch/status/1269945115738542080", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://www.youtube.com/watch?v=WeL_xSryj8E", "https://muha2xmad.github.io/malware-analysis/ginp/", "https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/", "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/" ], "synonyms": [], "type": [] }, "uuid": "77e9ace0-f6e5-4d6e-965a-a653ff626be1", "value": "Ginp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", "https://www.clearskysec.com/glancelove/" ], "synonyms": [], "type": [] }, "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gnatspy", "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html" ], "synonyms": [], "type": [] }, "uuid": "a3b6a355-3afe-49ae-9f87-679c6c382943", "value": "GnatSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goat_rat", "https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/" ], "synonyms": [], "type": [] }, "uuid": "f699d295-1072-418b-8aa2-cb36fbd4c6c7", "value": "GoatRAT" }, { "description": "According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather", "https://github.com/LaurieWired/StrangeLoop", "https://blog.group-ib.com/godfather-trojan", "https://brandefense.io/blog/godfather-android-banking-trojan/", "https://muha2xmad.github.io/malware-analysis/godfather/" ], "synonyms": [], "type": [] }, "uuid": "8e95a9d5-08fb-4f11-b70a-622148bd1e62", "value": "Godfather" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "b7c0c11d-8471-4b10-bbf2-f9c0f30bc27e", "value": "GoldenEagle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat", "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" ], "synonyms": [], "type": [] }, "uuid": "e111fff8-c73c-4069-b804-2d3732653481", "value": "GoldenRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gold_digger", "https://www.group-ib.com/blog/golddigger-fraud-matrix/" ], "synonyms": [], "type": [] }, "uuid": "8ff9cde1-627e-4967-8b12-195544f31d83", "value": "GoldDigger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact", "https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail", "https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/" ], "synonyms": [], "type": [] }, "uuid": "008ef3f3-579e-4065-ad0a-cf96be00becf", "value": "goontact" }, { "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed", "https://blog.talosintelligence.com/2018/10/gplayerbanker.html", "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" ], "synonyms": [], "type": [] }, "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", "value": "GPlayed" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gravity_rat", "https://blog.talosintelligence.com/cosmic-leopard/" ], "synonyms": [], "type": [] }, "uuid": "fed09d31-6378-4e85-b644-5500491dff88", "value": "Gravity RAT (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.grifthorse", "https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/" ], "synonyms": [], "type": [] }, "uuid": "fe40a0b2-be48-41c5-8814-7fa3a6a993b9", "value": "GriftHorse" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.guerrilla", "https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html" ], "synonyms": [], "type": [] }, "uuid": "57de6ac2-8cf0-4022-aee2-5f76e3dbd503", "value": "Guerrilla" }, { "description": "Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "https://www.group-ib.com/media/gustuff/", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://blog.talosintelligence.com/2019/10/gustuffv2.html" ], "synonyms": [], "type": [] }, "uuid": "a5e2b65f-2087-465d-bf14-4acf891d5d0f", "value": "Gustuff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hardrain", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990", "https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/" ], "synonyms": [], "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", "value": "HARDRAIN (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw", "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/", "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw" ], "synonyms": [], "type": [] }, "uuid": "5ae490bd-84ca-434f-ab34-b87bd38e4523", "value": "HawkShaw" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox", "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/" ], "synonyms": [], "type": [] }, "uuid": "0185f9f6-018e-4eb5-a214-d810cb759a38", "value": "HenBox" }, { "description": "Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hermit", "https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/", "https://www.lighthousereports.nl/investigation/revealing-europes-nso", "https://de.lookout.com/blog/hermit-spyware-discovery" ], "synonyms": [], "type": [] }, "uuid": "b95f25a0-ba22-4320-95e3-323fbf852846", "value": "Hermit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" ], "synonyms": [], "type": [] }, "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", "value": "HeroRAT" }, { "description": "HiddenAd is a malware that shows ads as overlays on the phone.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad", "https://twitter.com/LukasStefanko/status/1136568939239137280", "https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/" ], "synonyms": [], "type": [] }, "uuid": "171c97ca-6b61-426d-8f72-c099528625e9", "value": "HiddenAd" }, { "description": "RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hilalrat", "https://thehackernews.com/2022/04/microsoft-obtains-court-order-to-take.html" ], "synonyms": [], "type": [] }, "uuid": "96bea6aa-3202-4352-8e36-fa05c677c0e8", "value": "HilalRAT" }, { "description": "According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hook", "https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/", "https://www.sciencedirect.com/science/article/pii/S266628172400088X", "https://github.com/0xperator/hookbot_source", "https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65" ], "synonyms": [], "type": [] }, "uuid": "c101bc42-1011-43f6-9d30-629013c318cd", "value": "Hook" }, { "description": "Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/", "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/", "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5", "https://muha2xmad.github.io/malware-analysis/hydra/", "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", "https://twitter.com/muha2xmad/status/1570788983474638849", "https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0", "https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65", "https://cryptax.medium.com/android-bianlian-payload-61febabed00a" ], "synonyms": [], "type": [] }, "uuid": "ae25953d-cf7c-4304-9ea2-2ea1498ea035", "value": "Hydra" }, { "description": "Android variant of IPStorm (InterPlanetary Storm).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ipstorm", "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", "https://www.justice.gov/usao-pr/pr/russian-and-moldovan-national-pleads-guilty-operating-illegal-botnet-proxy-service", "https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/" ], "synonyms": [ "InterPlanetary Storm" ], "type": [] }, "uuid": "dc0c8824-64ac-4ab2-a0e4-955a14ecc59c", "value": "IPStorm (Android)" }, { "description": "According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irata", "https://muha2xmad.github.io/malware-analysis/irata/", "https://onecert.ir/portal/blog/irata", "https://twitter.com/muha2xmad/status/1562831996078157826" ], "synonyms": [], "type": [] }, "uuid": "24fb43b4-d6a6-49c0-a862-4211a245b635", "value": "IRATA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", "value": "IRRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", "https://blog.lookout.com/mobile-threat-jaderat" ], "synonyms": [], "type": [] }, "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", "value": "JadeRAT" }, { "description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker", "https://www.threatfabric.com/blogs/toad-fraud", "https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1", "https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/", "https://labs.k7computing.com/?p=22199", "https://muha2xmad.github.io/malware-analysis/hydra/", "https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/", "https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451", "https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/", "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html", "https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2", "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/" ], "synonyms": [ "Bread" ], "type": [] }, "uuid": "aa2ad8f4-3c46-4f16-994b-2a79c7481cac", "value": "Joker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/" ], "synonyms": [], "type": [] }, "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", "value": "KevDroid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.knspy", "https://community.riskiq.com/article/6f60db72", "https://s.tencent.com/research/report/951.html", "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", "https://twitter.com/voodoodahl1/status/1267571622732578816", "https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/", "https://blog.talosintelligence.com/2020/10/donot-firestarter.html" ], "synonyms": [], "type": [] }, "uuid": "084ebca7-91da-4d9c-8211-a18f358ac28b", "value": "KnSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", "https://twitter.com/LukasStefanko/status/928262059875213312" ], "synonyms": [], "type": [] }, "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", "value": "Koler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.konni", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11" ], "synonyms": [], "type": [] }, "uuid": "d4f90ffc-72cb-49a5-b796-527785f49161", "value": "Konni (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ksremote", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/" ], "synonyms": [], "type": [] }, "uuid": "196d51bf-cf97-455d-b997-fc3e377f2188", "value": "KSREMOTE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf", "https://www.youtube.com/watch?v=nilzxS9rxEM", "https://twitter.com/malwrhunterteam/status/1337684036374945792", "https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/" ], "synonyms": [], "type": [] }, "uuid": "41cb4397-7ae0-4a9f-894f-47828e768aa9", "value": "LittleLooter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" ], "synonyms": [], "type": [] }, "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", "value": "Loki" }, { "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html", "https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/", "https://muha2xmad.github.io/mal-document/lokibotpdf/", "https://isc.sans.edu/diary/27282", "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/", "https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view" ], "synonyms": [], "type": [] }, "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "value": "LokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat", "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" ], "synonyms": [], "type": [] }, "uuid": "1785a4dd-4044-4405-91c2-efb722801867", "value": "LuckyCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mandrake", "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" ], "synonyms": [], "type": [] }, "uuid": "0f587654-7f70-43be-9f1f-95e3a2cc2014", "value": "Mandrake" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" ], "synonyms": [ "ExoBot" ], "type": [] }, "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", "value": "Marcher" }, { "description": "According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred", "https://twitter.com/AvastThreatLabs/status/1458162276708483073" ], "synonyms": [ "Brox" ], "type": [] }, "uuid": "87131ea3-4c5e-42ba-a8e2-edd62a0bcd8d", "value": "MasterFred" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/", "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html" ], "synonyms": [], "type": [] }, "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", "value": "MazarBot" }, { "description": "According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa", "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", "https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered", "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", "https://twitter.com/ThreatFabric/status/1285144962695340032" ], "synonyms": [ "Gorgona" ], "type": [] }, "uuid": "f155e529-dbea-4e4d-9df3-518401191c82", "value": "Medusa (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe", "https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12", "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w" ], "synonyms": [], "type": [] }, "uuid": "e1ae3e4e-5aaf-4ffe-ba2f-7871507f6d52", "value": "Meterpreter (Android)" }, { "description": "Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mobile_order", "https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/" ], "synonyms": [], "type": [] }, "uuid": "ee19588f-9752-4516-85f4-de18acfc64b3", "value": "MobileOrder" }, { "description": "Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.\r\nAccording to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle", "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "739d6d22-b187-4754-9098-22625ea612cc", "value": "Monokle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao", "https://www.xanhacks.xyz/p/moqhao-malware-analysis", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", "https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/", "https://securelist.com/roaming-mantis-part-v/96250/", "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html", "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", "https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/", "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", "https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681", "https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", "https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/", "https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484", "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", "https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends", "https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/" ], "synonyms": [ "Shaoye", "XLoader" ], "type": [] }, "uuid": "41a9408d-7020-4988-af2c-51baf4d20763", "value": "MoqHao" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.morder_rat", "https://www.ctfiot.com/138538.html" ], "synonyms": [], "type": [] }, "uuid": "f91f27ad-edcd-4e3d-824e-23f6acd81a7b", "value": "MOrder RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater", "https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf" ], "synonyms": [], "type": [] }, "uuid": "9a8a5dd0-c86e-40d1-bc94-51070447c907", "value": "Mudwater" }, { "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" ], "synonyms": [], "type": [] }, "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", "value": "MysteryBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.nexus", "https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet", "https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail" ], "synonyms": [], "type": [] }, "uuid": "fe0b4e6e-268e-4c63-a095-bf1ddff95055", "value": "Nexus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT", "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" ], "synonyms": [], "type": [] }, "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", "value": "OmniRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.oscorp", "https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution", "https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/" ], "synonyms": [ "UBEL" ], "type": [] }, "uuid": "8d383260-102f-46da-8cc6-7659cbbd9452", "value": "Oscorp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat", "https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/" ], "synonyms": [], "type": [] }, "uuid": "b0f56103-1771-4e01-9ed7-44149e39ce93", "value": "PackChat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance", "https://securelist.com/it-threat-evolution-q2-2020/98230", "https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf", "https://securelist.com/apt-phantomlance/96772/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view" ], "synonyms": [ "PWNDROID1" ], "type": [] }, "uuid": "a73375a5-3384-4515-8538-b598d225586d", "value": "PhantomLance" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.phoenix", "https://cryptax.medium.com/reverse-engineering-of-android-phoenix-b59693c03bd3" ], "synonyms": [], "type": [] }, "uuid": "b5d57344-0486-4580-a437-54c61cb0bf4d", "value": "Phoenix" }, { "description": "According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.phonespy", "https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/" ], "synonyms": [], "type": [] }, "uuid": "ff00bbb6-6856-4cf5-adde-d1cc536dd0e2", "value": "PhoneSpy" }, { "description": "According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pineflower", "https://www.mandiant.com/media/17826", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "a17a7c5d-0a8f-42e7-b4c9-63c258267776", "value": "PINEFLOWER" }, { "description": "According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.\r\n\r\nIn addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixpirate", "https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan" ], "synonyms": [], "type": [] }, "uuid": "cdf707bd-a8b0-4ee3-917d-a56b11f30206", "value": "PixPirate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixstealer", "https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/", "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/" ], "synonyms": [ "BrazKing" ], "type": [] }, "uuid": "5d047596-eb67-4fed-b41d-65fa975150c5", "value": "PixStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat", "https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/", "https://labs.k7computing.com/?p=22537", "https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ" ], "synonyms": [], "type": [] }, "uuid": "6fa6c769-2546-4a5c-a3c7-24dda4ab597d", "value": "PjobRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec", "https://securelist.com/jack-of-all-trades/83470/" ], "synonyms": [], "type": [] }, "uuid": "82f9c4c1-2619-4236-a701-776c6c781f45", "value": "Podec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/", "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/" ], "synonyms": [ "Popr-d30" ], "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "value": "X-Agent (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" ], "synonyms": [], "type": [] }, "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", "value": "Fake Pornhub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat", "https://twitter.com/LukasStefanko/status/1084774825619537925" ], "synonyms": [], "type": [] }, "uuid": "661471fe-2cb6-4b83-9deb-43225192a849", "value": "Premier RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rafelrat", "https://github.com/swagkarna/Rafel-Rat", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/" ], "synonyms": [], "type": [] }, "uuid": "cdaa0a6d-3709-4e6f-8807-fff388baaba0", "value": "Rafel RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rambleon", "https://interlab.or.kr/archives/2567", "https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab" ], "synonyms": [], "type": [] }, "uuid": "41ab3c99-297c-465c-8375-3e9f7ce4b996", "value": "RambleOn" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rana", "https://blog.reversinglabs.com/blog/rana-android-malware" ], "synonyms": [], "type": [] }, "uuid": "65a8e406-b535-4c0a-bc6d-d1bec3c55623", "value": "Rana" }, { "description": "RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East.\r\nThe malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ratmilad", "https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices" ], "synonyms": [], "type": [] }, "uuid": "542c3e5e-2124-4c36-af05-65893974d5ce", "value": "RatMilad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" ], "synonyms": [], "type": [] }, "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", "value": "Raxir" }, { "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", "https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores" ], "synonyms": [], "type": [] }, "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", "value": "RedAlert2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.remrat", "https://blogs.360.cn/post/analysis-of-RemRAT.html" ], "synonyms": [], "type": [] }, "uuid": "23809a2b-3c24-41c5-a310-2b8045539202", "value": "RemRAT" }, { "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html", "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "https://www.govcert.admin.ch/blog/33/the-retefe-saga" ], "synonyms": [], "type": [] }, "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "value": "Retefe (Android)" }, { "description": "According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.revive", "https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan" ], "synonyms": [], "type": [] }, "uuid": "25669934-14bf-463f-bcae-c59c590c3bf8", "value": "Revive" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.riltok", "https://securelist.com/mobile-banker-riltok/91374/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [], "type": [] }, "uuid": "d7b347f8-77a5-4197-b818-f3af504da2c1", "value": "Riltok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", "https://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8", "https://securelist.com/roaming-mantis-part-v/96250/", "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/", "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", "https://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7", "https://securelist.com/roaming-mantis-reaches-europe/105596/" ], "synonyms": [], "type": [] }, "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", "value": "Roaming Mantis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rogue", "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/" ], "synonyms": [], "type": [] }, "uuid": "4b53480a-8006-4af7-8e4e-cc8727c62648", "value": "Rogue" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java", "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer" ], "synonyms": [], "type": [] }, "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", "value": "Rootnik" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker", "https://twitter.com/LukasStefanko/status/1117795290155819008" ], "synonyms": [], "type": [] }, "uuid": "a7c058cf-d482-42cf-9ea7-d5554287ea65", "value": "Sauron Locker" }, { "description": "SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot", "https://muha2xmad.github.io/malware-analysis/sharkbot/", "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/", "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html", "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf", "https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/", "https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/", "https://bin.re/blog/the-dgas-of-sharkbot/", "https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe", "https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" ], "synonyms": [], "type": [] }, "uuid": "7b20fdb1-5aee-4f17-a88e-bcd72c893f0a", "value": "SharkBot" }, { "description": "SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sidewinder", "https://ti.qianxin.com/blog/articles/analysis-of-malware-android-software-spread-by-sidewinder-using-google-play/", "https://www.group-ib.com/blog/hunting-sidewinder/" ], "synonyms": [], "type": [] }, "uuid": "af929cac-e0c6-4a63-ac5a-02c4cbbab746", "value": "SideWinder (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "00ab3d3b-dbbf-40de-b3d8-a3466704a1a7", "value": "SilkBean" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" ], "synonyms": [], "type": [] }, "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", "value": "Skygofree" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html", "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" ], "synonyms": [ "SlemBunk" ], "type": [] }, "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", "value": "Slempo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", "https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/", "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" ], "synonyms": [], "type": [] }, "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", "value": "Slocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent", "https://blog.alyac.co.kr/2128", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" ], "synonyms": [], "type": [] }, "uuid": "ee42986c-e736-4092-a2f9-2931a02c688d", "value": "SmsAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" ], "synonyms": [], "type": [] }, "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", "value": "SMSspy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.soumnibot", "https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/" ], "synonyms": [], "type": [] }, "uuid": "ed53cdaf-0649-4ca5-adcd-592a46f79da8", "value": "SoumniBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova", "https://muha2xmad.github.io/malware-analysis/sova/", "https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/", "https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail", "https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections", "https://cryptax.medium.com/eyes-on-android-s-o-v-a-botnet-sample-fb5ed332d08", "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly", "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" ], "synonyms": [], "type": [] }, "uuid": "2aa95661-b63a-432e-8e5e-74ac93b42d57", "value": "S.O.V.A." }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/", "https://news.drweb.com/show/?i=11104&lng=en" ], "synonyms": [], "type": [] }, "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", "value": "SpyBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spyc23", "https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" ], "synonyms": [], "type": [] }, "uuid": "8fb4910f-e645-4465-a202-a20835416c87", "value": "SpyC23" }, { "description": "SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax", "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions", "https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league", "https://twitter.com/malwrhunterteam/status/1250412485808717826", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", "https://www.group-ib.com/blog/craxs-rat-malware/", "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html" ], "synonyms": [], "type": [] }, "uuid": "e1dfb554-4c17-4d4c-ac48-604c48d8ab0b", "value": "SpyMax" }, { "description": "The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", "https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn", "https://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places", "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", "https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages", "https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/", "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", "https://labs.k7computing.com/index.php/spynote-an-android-snooper/", "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html", "https://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/", "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", "https://www.group-ib.com/blog/craxs-rat-malware/", "https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions", "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan", "https://labs.k7computing.com/index.php/spynote-targets-irctc-users/", "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" ], "synonyms": [ "CypherRat" ], "type": [] }, "uuid": "31592c69-d540-4617-8253-71ae0c45526c", "value": "SpyNote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], "synonyms": [], "type": [] }, "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", "value": "StealthAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", "https://www.lookout.com/blog/stealth-mango", "https://www.lookout.com/info/stealth-mango-report-ty" ], "synonyms": [], "type": [] }, "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", "value": "Stealth Mango" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/", "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] }, "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", "value": "Svpeng" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" ], "synonyms": [], "type": [] }, "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", "value": "Switcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat", "https://www.secureworks.com/research/threat-profiles/platinum-terminal", "https://twitter.com/LukasStefanko/status/1118066622512738304" ], "synonyms": [ "Assassin RAT" ], "type": [] }, "uuid": "46151a0d-aa0a-466c-9fff-c2c3474f572e", "value": "TalentRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tangle_bot", "https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled", "https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered" ], "synonyms": [], "type": [] }, "uuid": "1e37d712-df02-48aa-82fc-28fa80c92c2b", "value": "TangleBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", "value": "TeleRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" ], "synonyms": [], "type": [] }, "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", "value": "TemptingCedar Spyware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.thiefbot", "https://business.xunison.com/thiefbot-a-new-android-banking-trojan-targeting-turkish-banking-users/" ], "synonyms": [], "type": [] }, "uuid": "5863d2eb-920d-4263-8c4b-7a16d410ff89", "value": "ThiefBot" }, { "description": "According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tianyspy", "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" ], "synonyms": [], "type": [] }, "uuid": "8260dda5-f608-48f2-9341-28dbc5a8e895", "value": "TianySpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", "http://blog.group-ib.com/cron" ], "synonyms": [ "Catelites Android Bot", "MarsElite Android Bot" ], "type": [] }, "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", "value": "TinyZ" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", "https://www.alienvault.com/blogs/labs-research/delivery-keyboy", "https://blog.lookout.com/titan-mobile-threat" ], "synonyms": [], "type": [] }, "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", "value": "Titan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.toxic_panda", "https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam" ], "synonyms": [], "type": [] }, "uuid": "7ac4865d-dc9d-468e-a462-67dfc63d118b", "value": "ToxicPanda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", "https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/", "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", "https://securelist.com/triada-trojan-in-whatsapp-mod/103679/", "https://securelist.com/apkpure-android-app-store-infected/101845/", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" ], "synonyms": [], "type": [] }, "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", "value": "Triada" }, { "description": "TrickMo is an advanced banking trojan for Android. Starting out as a companion malware to TrickBot in 2020, it first became a standalone banking trojan by addition of overlay attacks in 2021 and was later (2024) upgraded with remote control capabilities for on-device fraud. The continued development and progressively improved obfuscation suggests an active Threat Actor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.trickmo", "https://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak", "https://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/", "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/" ], "synonyms": [], "type": [] }, "uuid": "cff89ce1-a133-48a6-b8bd-e4f97cf23d6a", "value": "TrickMo" }, { "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout" ], "synonyms": [], "type": [] }, "uuid": "bd9ce51c-53f9-411b-b46a-aba036c433b1", "value": "Triout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ultima_sms", "https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast" ], "synonyms": [], "type": [] }, "uuid": "65476d5f-321f-4385-867a-383094cadb58", "value": "UltimaSMS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", "https://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/" ], "synonyms": [], "type": [] }, "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", "value": "Unidentified APK 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" ], "synonyms": [], "type": [] }, "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", "value": "Unidentified APK 002" }, { "description": "According to Check Point Research, this is a RAT that is disguised as a set of dating apps like \"GrixyApp\", \"ZatuApp\", \"Catch&See\", including dedicated websites to conceal their malicious purpose.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_004", "https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" ], "synonyms": [], "type": [] }, "uuid": "55626b63-4b9a-468e-92ae-4b09b303d0ed", "value": "Unidentified APK 004" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005" ], "synonyms": [], "type": [] }, "uuid": "5413ca94-1385-40c0-8eb2-1fc3aff87fb1", "value": "Unidentified APK 005" }, { "description": "Information stealer posing as a fake banking app, targeting Korean users.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006", "https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/", "https://twitter.com/ReBensk/status/1438027183490940931", "https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749", "https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20" ], "synonyms": [], "type": [] }, "uuid": "2263198d-af38-4e38-a7a8-4435d29d88e8", "value": "Unidentified APK 006" }, { "description": "According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_007", "https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/" ], "synonyms": [], "type": [] }, "uuid": "75c641c4-17df-43c4-9773-c27464c5d2ff", "value": "Unidentified 007 (ARMAAN RAT)" }, { "description": "Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_008", "https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "2ffddca0-841c-4eb6-9983-ff38abb5d6d6", "value": "Unidentified APK 008" }, { "description": "According to Google, a Chrome reconnaissance payload", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_009", "https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/" ], "synonyms": [], "type": [] }, "uuid": "6d3bcabe-6b3a-49c1-b1a9-2239ce06deae", "value": "Unidentified APK 009 (Chrome Recon)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vajraspy", "https://twitter.com/malwrhunterteam/status/1481312752782258176", "https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww", "https://twitter.com/LukasStefanko/status/1509451238366236674" ], "synonyms": [], "type": [] }, "uuid": "c328b30f-e076-47dc-8c93-4d20f62c72ab", "value": "VajraSpy" }, { "description": "Related to the micropsia windows malware and also sometimes named micropsia.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vamp", "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" ], "synonyms": [ "android.micropsia" ], "type": [] }, "uuid": "1ad5b462-1b0d-4c2f-901d-ead6c9f227bc", "value": "vamp" }, { "description": "According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn", "https://www.mandiant.com/media/17826", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "6da6dfb6-2c50-465c-9394-26695d72e8c7", "value": "VINETHORN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" ], "synonyms": [], "type": [] }, "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", "value": "Viper RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vultur", "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud", "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html", "https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan", "https://twitter.com/_icebre4ker_/status/1485651238175846400", "https://www.threatfabric.com/blogs/vultur-v-for-vnc.html", "https://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/" ], "synonyms": [ "Vulture" ], "type": [] }, "uuid": "49b1c344-ce13-48bf-9839-909ba57649c4", "value": "Vultur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", "https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/", "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/", "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack" ], "synonyms": [], "type": [] }, "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", "value": "WireX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wolf_rat", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" ], "synonyms": [], "type": [] }, "uuid": "994c7bb3-ba40-41bb-89b3-f05996924b10", "value": "WolfRAT" }, { "description": "According to Avira, this is a banking trojan targeting Japan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba", "https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan", "https://securelist.com/roaming-mantis-reaches-europe/105596/" ], "synonyms": [], "type": [] }, "uuid": "40a5d526-ef9f-4ddf-a326-6f33dceeeebc", "value": "Wroba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wyrmspy", "https://cryptax.medium.com/organizing-malware-analysis-with-colander-example-on-android-wyrmspy-1f3ec30ae33b", "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack", "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41" ], "synonyms": [ "AndroidControl" ], "type": [] }, "uuid": "77f81373-bb3a-449d-82ff-b28fe31acef6", "value": "WyrmSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" ], "synonyms": [], "type": [] }, "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, { "description": "Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph", "https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html", "https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html", "https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html", "https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5", "https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0", "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html" ], "synonyms": [], "type": [] }, "uuid": "d202e42d-2c35-4c1c-90f1-644a8cae38f1", "value": "Xenomorph" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xhelper", "https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/" ], "synonyms": [], "type": [] }, "uuid": "f54dec1f-bec6-4f4a-a909-690d65e0f14b", "value": "xHelper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy", "https://twitter.com/malwrhunterteam/status/1249768400806653952", "https://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/" ], "synonyms": [], "type": [] }, "uuid": "57600f52-b55f-49c7-9c0c-de10b2d23370", "value": "XploitSPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf", "https://asec.ahnlab.com/en/59590/", "https://blog.lookout.com/xrat-mobile-threat" ], "synonyms": [], "type": [] }, "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", "value": "XRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth", "https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html" ], "synonyms": [], "type": [] }, "uuid": "a2dad59d-2355-415c-b4d6-62236d3de4c7", "value": "YellYouth" }, { "description": "According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zanubis", "https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/" ], "synonyms": [], "type": [] }, "uuid": "cebf13e5-dbfc-49d6-8715-e3b7687d386f", "value": "Zanubis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen", "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" ], "synonyms": [], "type": [] }, "uuid": "46d6d102-fc38-46f7-afdc-689cafe13de5", "value": "Zen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", "https://securelist.com/whos-who-in-the-zoo/85394/", "https://securelist.com/whos-who-in-the-zoo/85394", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.secureworks.com/research/threat-profiles/cobalt-juno" ], "synonyms": [], "type": [] }, "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", "value": "ZooPark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", "https://securelist.com/ztorg-from-rooting-to-sms/78775/", "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1" ], "synonyms": [ "Qysly" ], "type": [] }, "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", "value": "Ztorg" }, { "description": "WebShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.nightrunner", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/" ], "synonyms": [], "type": [] }, "uuid": "b0206aac-30ff-41ce-b7d4-1b94ab15e3b1", "value": "Nightrunner" }, { "description": "WebShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.tunna", "https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/" ], "synonyms": [], "type": [] }, "uuid": "b057f462-dc32-4f7b-95e0-98a20a48f2b2", "value": "Tunna" }, { "description": "According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.\r\n\r\nThe secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface", "https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf", "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://www.youtube.com/watch?v=GjquFKa4afU" ], "synonyms": [ "HighShell", "HyperShell", "Minion", "SEASHARPEE" ], "type": [] }, "uuid": "a98a04e5-1f86-44b8-91ff-dbe1534782ba", "value": "TwoFace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "d4318f40-a39a-4ce0-8d3c-246d9923d222", "value": "Unidentified ASP 001 (Webshell)" }, { "description": "Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.abcbot", "https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/", "https://www.cadosecurity.com/the-continued-evolution-of-abcbot/", "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/", "https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/" ], "synonyms": [], "type": [] }, "uuid": "8d17175b-4e9f-43a9-851d-898bb6696984", "value": "Abcbot" }, { "description": "Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.abyss", "https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/" ], "synonyms": [ "elf.hellokitty" ], "type": [] }, "uuid": "302a96b1-73cb-4f70-a329-e68debd87bf8", "value": "Abyss Locker" }, { "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba", "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/" ], "synonyms": [], "type": [] }, "uuid": "cd2d7040-edc4-4985-b708-b206b08cc1fe", "value": "ACBackdoor (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidpour", "https://www.trellix.com/blogs/research/pouring-acid-rain/", "https://twitter.com/juanandres_gs/status/1769726024600768959" ], "synonyms": [], "type": [] }, "uuid": "11981e96-be46-4ce9-8085-af7224591951", "value": "AcidPour" }, { "description": "A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidrain", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", "https://www.trellix.com/blogs/research/pouring-acid-rain/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/", "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html", "https://cybersecuritynews.com/acidrain-wiper-malware/", "https://www.techtimes.com/articles/273755/20220331/viasat-hit-russia-s-wiper-malware-called-acidrain-affecting-european.htm" ], "synonyms": [], "type": [] }, "uuid": "6108aa3d-ea6e-47fd-9344-d333b07f5a56", "value": "AcidRain" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker", "https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/", "https://twitter.com/IntezerLabs/status/1326880812344676352", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "5d04aac3-fdf5-4922-9976-3a5a75e96e1a", "value": "AgeLocker" }, { "description": "AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop", "https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html" ], "synonyms": [ "CloudBot" ], "type": [] }, "uuid": "e91fcb82-e788-44cb-be5d-73b9601b9533", "value": "AirDropBot" }, { "description": "Honeypot-aware variant of Mirai.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru", "https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/" ], "synonyms": [], "type": [] }, "uuid": "e288425b-40f0-441e-977f-5f1264ed61b6", "value": "Aisuru" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.akira", "https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/", "https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/", "https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html", "https://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat", "https://labs.k7computing.com/index.php/akiras-play-with-linux/", "https://medium.com/@DCSO_CyTec/unransomware-from-zero-to-full-recovery-in-a-blink-8a47dd031df3" ], "synonyms": [], "type": [] }, "uuid": "365081b9-f60d-4484-befa-d4fc9d0f55d7", "value": "Akira (ELF)" }, { "description": "Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/", "https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate", "https://www.netscout.com/blog/asert/dropping-anchor", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "b88dc3ec-d94c-4e6e-a846-5d07130df550", "value": "AnchorDNS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel", "https://www.secureworks.com/research/threat-profiles/bronze-olive", "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" ], "synonyms": [ "Ghost RAT" ], "type": [] }, "uuid": "6cb47609-b03e-43d9-a4c7-8342f1011f3b", "value": "ANGRYREBEL" }, { "description": "AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.avrecon", "https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/", "https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/", "https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/", "https://twitter.com/BlackLotusLabs/status/1684290046235484160" ], "synonyms": [], "type": [] }, "uuid": "1b218432-dd5c-4593-8f37-e202f9418fff", "value": "AVrecon" }, { "description": "Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.azazel", "https://github.com/chokepoint/azazel" ], "synonyms": [], "type": [] }, "uuid": "37374572-3346-4c00-abc9-9f6883c8866e", "value": "azazel" }, { "description": "B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name \"b1t\", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.b1txor20", "https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/" ], "synonyms": [], "type": [] }, "uuid": "05e6d9ff-93a1-429b-b856-794d9ded75df", "value": "B1txor20" }, { "description": "ESX and NAS modules for Babuk ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk", "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d" ], "synonyms": [], "type": [] }, "uuid": "26b4d805-890b-4767-9d9f-a08adeee1c96", "value": "Babuk (ELF)" }, { "description": "According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoorit", "https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/" ], "synonyms": [ "backd00rit" ], "type": [] }, "uuid": "4a4bc444-9e93-47a6-a572-0e13f743d875", "value": "Backdoorit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", "https://news.drweb.com/show/?c=5&i=10193&lng=en" ], "synonyms": [], "type": [] }, "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", "value": "Irc16" }, { "description": "BADCALL is a Trojan malware variant used by the group Lazarus Group. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.badcall", "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack" ], "synonyms": [], "type": [] }, "uuid": "350817e8-4d70-455e-b1fd-000bed4a4cf4", "value": "BADCALL (ELF)" }, { "description": "Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", "https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora", "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218", "https://securityscorecard.com/wp-content/uploads/2024/01/Report-A-Detailed-Analysis-Of-The-Gafgyt-Malware-Targeting-IoT-Devices.pdf", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", "https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/", "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", "https://vb2020.vblocalhost.com/uploads/VB2020-Liu.pdf", "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", "https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/", "https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/", "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", "https://blog.cyber5w.com/gafgyt-backdoor-analysis", "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/", "https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/", "https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/", "https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/" ], "synonyms": [ "Gafgyt", "gayfgt", "lizkebab", "qbot", "torlus" ], "type": [] }, "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", "value": "Bashlite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter", "https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/" ], "synonyms": [], "type": [] }, "uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209", "value": "BCMPUPnP_Hunter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bianlian", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/", "https://www.youtube.com/live/O2Wx7mQHR2I?si=uydJupvHK6sxxw3n", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/" ], "synonyms": [], "type": [] }, "uuid": "f6be433e-7ed0-4777-876b-e3e2ba7d5c7f", "value": "BianLian (ELF)" }, { "description": "According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the \"nohup\" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing \"BiBi,\" and excluding certain file types from corruption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bibi_linux", "https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group" ], "synonyms": [], "type": [] }, "uuid": "efec7bb0-4ec7-4c97-a8a9-28e0fea19852", "value": "BiBi-Linux" }, { "description": "Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost", "https://twitter.com/strinsert1Na/status/1595553530579890176", "https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/", "https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" ], "synonyms": [ "elf.bifrose" ], "type": [] }, "uuid": "8fa6dd0e-b630-419f-bd01-5271dd8f27c6", "value": "Bifrost" }, { "description": "A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor", "https://blog.netlab.360.com/bigviktor-dga-botnet/" ], "synonyms": [], "type": [] }, "uuid": "901ab128-2d23-41d7-a9e7-6a34e281804e", "value": "BigViktor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bioset", "https://twitter.com/IntezerLabs/status/1409844721992749059" ], "synonyms": [], "type": [] }, "uuid": "8e301f58-acef-48e7-ad8b-c27d3ed38eed", "value": "BioSet" }, { "description": "ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackbasta", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview", "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/", "https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/" ], "synonyms": [], "type": [] }, "uuid": "35c86fef-18fe-491c-ad3c-13f98e8f5584", "value": "Black Basta (ELF)" }, { "description": "ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.\r\n\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat", "https://killingthebear.jorgetesta.tech/actors/alphv", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/", "https://x.com/vxunderground/status/1731138180672344095?t=reBMQQFFMGQ_zkV8KmL_LA&s=01", "https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://blog.group-ib.com/blackcat", "https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/", "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", "https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/", "https://securelist.com/a-bad-luck-blackcat/106254/", "https://www.forescout.com/resources/analysis-of-an-alphv-incident", "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", "https://securelist.com/new-ransomware-trends-in-2022/106457/", "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", "https://twitter.com/sisoma2/status/1473243875158499330", "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/" ], "synonyms": [ "ALPHV", "Noberus" ], "type": [] }, "uuid": "860e9d03-830e-4410-ac89-75b6eb89e7e5", "value": "BlackCat (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter", "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", "https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://blog.group-ib.com/blackmatter2", "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://twitter.com/VK_Intel/status/1423188690126266370", "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", "https://twitter.com/GelosSnake/status/1451465959894667275", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", "https://www.youtube.com/watch?v=NIiEcOryLpI", "https://blog.group-ib.com/blackmatter#" ], "synonyms": [], "type": [] }, "uuid": "1277a4bf-466c-40bc-b000-f55cbd0994a7", "value": "BlackMatter (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackrota", "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/", "https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "a30aedcc-562e-437a-827c-55bc00cf3506", "value": "Blackrota" }, { "description": "According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blacksuit", "https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/", "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html" ], "synonyms": [], "type": [] }, "uuid": "5bdbeaae-0def-4547-9940-33ad94060955", "value": "BlackSuit (ELF)" }, { "description": "According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove", "https://services.google.com/fh/files/misc/01-chinese-espionage-article-m-trends-2024.pdf", "https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html", "https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf", "https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw" ], "synonyms": [], "type": [] }, "uuid": "8f347147-c34e-4698-9439-c640233fca15", "value": "BOLDMOVE (ELF)" }, { "description": "This is a pentesting tool and according to the author, \"BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.\".\r\n\r\nIt has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.botb", "https://github.com/brompwnie/botb" ], "synonyms": [ "BOtB" ], "type": [] }, "uuid": "57c9ab70-7133-441a-af66-10c0e4eb898b", "value": "Break out the Box" }, { "description": "According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits.\r\nSourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.botenago", "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux", "https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/", "https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github", "https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits", "https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/" ], "synonyms": [], "type": [] }, "uuid": "dffcc168-cb76-4ae6-b913-c369e92c614b", "value": "BotenaGo" }, { "description": "BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor", "https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/", "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", "https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://troopers.de/troopers22/talks/7cv8pz/", "https://twitter.com/cyb3rops/status/1523227511551033349", "https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#", "https://unfinished.bike/fun-with-the-new-bpfdoor-2023", "https://twitter.com/CraigHRowland/status/1523266585133457408", "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://nikhilh-20.github.io/blog/cbpf_bpfdoor/", "https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/", "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor" ], "synonyms": [ "JustForFun" ], "type": [] }, "uuid": "3c7082b6-0181-4064-8e35-ab522b49200f", "value": "BPFDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.brute_ratel", "https://bruteratel.com/" ], "synonyms": [], "type": [] }, "uuid": "2fa4ac4e-3f89-4fd0-b4fd-2c776dcf69d8", "value": "brute_ratel" }, { "description": "Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as \"Operation Telescreen\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bvp47", "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf", "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf", "https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html", "https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/" ], "synonyms": [], "type": [] }, "uuid": "0492f9bf-3c5d-4c17-993b-2b53d0fb06f7", "value": "Bvp47" }, { "description": "Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.caja", "https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ" ], "synonyms": [], "type": [] }, "uuid": "06816c22-be7c-44db-8d0d-395ab306bb9b", "value": "Caja" }, { "description": "According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.caligula", "https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/" ], "synonyms": [], "type": [] }, "uuid": "c936f24c-c04a-4cab-9ac6-6384a2d4c283", "value": "Caligula" }, { "description": "XMRig-based mining malware written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.capoae", "https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread" ], "synonyms": [], "type": [] }, "uuid": "c1b0528b-c674-4c76-8e1d-5846ba8af261", "value": "Capoae" }, { "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html", "https://blogs.cisco.com/security/linuxcdorked-faqs", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" ], "synonyms": [ "CDorked.A" ], "type": [] }, "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", "value": "CDorked" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief", "https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/" ], "synonyms": [], "type": [] }, "uuid": "27d06ac9-42c4-433a-b1d7-660710d9e8df", "value": "CDRThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cephei", "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader" ], "synonyms": [], "type": [] }, "uuid": "baa0704b-50d8-48af-91e1-049f30f422cc", "value": "Cephei" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cetus", "https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/" ], "synonyms": [], "type": [] }, "uuid": "7a226df2-9599-4002-9a38-b044e16f76a9", "value": "Cetus" }, { "description": "Sophos describes this malware as a DDoS bot, with its name originating from ChaCha-Lua-bot due to its use of ChaCha cipher and Lua. Variants exist for multiple architectures and it incorporates code from XorDDoS and Mirai.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chalubo", "https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/", "https://blog.centurylink.com/the-pumpkin-eclipse/", "https://blog.lumen.com/the-pumpkin-eclipse/" ], "synonyms": [ "ChaChaDDoS" ], "type": [] }, "uuid": "af91c777-93f7-4b7f-981f-141478972011", "value": "Chalubo" }, { "description": "Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos", "https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html", "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/" ], "synonyms": [], "type": [] }, "uuid": "ef03e3c3-32d5-483a-bd1f-97dd531c4bca", "value": "Chaos (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" ], "synonyms": [], "type": [] }, "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", "value": "Chapro" }, { "description": "Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor.\r\nGithub: https://github.com/jpillora/chisel", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/" ], "synonyms": [], "type": [] }, "uuid": "e5600185-39b7-49a0-bd60-a6806c7d47dd", "value": "Chisel (ELF)" }, { "description": "ELF version of clop ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.clop", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://www.helpnetsecurity.com/2023/02/07/cl0p-ransomware-decryptor-linux/", "https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/" ], "synonyms": [ "Cl0p" ], "type": [] }, "uuid": "3d11ec52-9ca8-4d83-99d4-6658f306e8e4", "value": "Clop (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" ], "synonyms": [ "Snoopy" ], "type": [] }, "uuid": "0b1c514d-f617-4380-a28c-a1ed305a7538", "value": "Cloud Snooper" }, { "description": "ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback", "https://labs.sucuri.net/signatures/malwares/pl-backdoor-connectback-001/" ], "synonyms": [ "Getshell" ], "type": [] }, "uuid": "82c57d1b-c11b-44f7-9675-2f0d23fb543f", "value": "ConnectBack" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti", "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.youtube.com/watch?v=cYx7sQRbjGA", "https://resources.prodaft.com/wazawaka-report", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", "https://securelist.com/new-ransomware-trends-in-2022/106457/", "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", "https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware" ], "synonyms": [ "Conti Locker" ], "type": [] }, "uuid": "c1ab8323-ce61-409a-80f3-b945c8ffcd42", "value": "Conti (ELF)" }, { "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", "https://github.com/pooler/cpuminer", "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/" ], "synonyms": [], "type": [] }, "uuid": "8196b6f6-386e-4499-b269-4e5c65f74141", "value": "Cpuminer (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r", "https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/", "https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html", "https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html" ], "synonyms": [ "CriptTor" ], "type": [] }, "uuid": "196b20ec-c3d1-4136-ab94-a2a6cc150e74", "value": "Cr1ptT0r" }, { "description": "A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cronrat", "https://sansec.io/research/cronrat" ], "synonyms": [], "type": [] }, "uuid": "c49062cc-ceef-4794-9d8a-93ede434ecfd", "value": "CronRAT" }, { "description": "According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink", "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", "https://www.theregister.com/2022/03/18/cyclops_asus_routers/", "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf", "https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/", "https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/", "https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/", "https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute", "https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py", "https://www.justice.gov/opa/press-release/file/1491281/download", "https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://attack.mitre.org/groups/G0034", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html" ], "synonyms": [], "type": [] }, "uuid": "76d4b754-e025-41c5-a767-7b00a39bd255", "value": "CyclopsBlink" }, { "description": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.sygnia.co/mata-framework", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/" ], "synonyms": [], "type": [] }, "uuid": "2e5e2a7e-4ee5-4954-9c92-e9b21649ae1b", "value": "Dacls (ELF)" }, { "description": "Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark", "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/", "https://twitter.com/ESETresearch/status/1440052837820428298?s=20", "https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities", "https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx" ], "synonyms": [ "Dark.IoT" ], "type": [] }, "uuid": "d499e7ad-332f-4057-b31d-a69916408057", "value": "Dark" }, { "description": "A sophisticated payload delivery and upgrade framework, discovered in 2024. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkcracks", "https://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/" ], "synonyms": [], "type": [] }, "uuid": "043c46fc-b98a-438e-b071-3ac76380f082", "value": "DarkCracks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus", "https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html" ], "synonyms": [], "type": [] }, "uuid": "dfba0c8f-9d06-448b-817e-6fffa1b22cb9", "value": "Dark Nexus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside", "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/", "https://blog.group-ib.com/blackmatter2", "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html", "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", "https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212", "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", "https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9", "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", "https://pylos.co/2021/05/13/mind-the-air-gap/", "https://www.youtube.com/watch?v=qxPXxWMI2i4", "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", "https://twitter.com/GelosSnake/status/1451465959894667275", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", "https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", "https://www.youtube.com/watch?v=NIiEcOryLpI", "https://blog.group-ib.com/blackmatter#" ], "synonyms": [], "type": [] }, "uuid": "61796628-c37b-4284-9aa4-9f054cc6c3c2", "value": "DarkSide (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark_radiation", "https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "39be337b-8a9a-4d71-949b-5efd6248fc80", "value": "DarkRadiation" }, { "description": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg", "https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/", "https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/", "https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/", "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/", "https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/" ], "synonyms": [], "type": [] }, "uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad", "value": "DDG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddoor", "https://github.com/rek7/ddoor" ], "synonyms": [], "type": [] }, "uuid": "07f48866-647c-46b0-a0d4-29c81ad488a8", "value": "ddoor" }, { "description": "DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt", "https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html", "https://community.riskiq.com/article/1601124b", "https://securelist.com/new-ransomware-trends-in-2022/106457/", "https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/" ], "synonyms": [], "type": [] }, "uuid": "b37c9ba2-f1b0-4a2f-9387-7310939d2189", "value": "DEADBOLT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.decoy_dog", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/" ], "synonyms": [], "type": [] }, "uuid": "6452720d-bd35-4c55-8178-ed0dd86f4c53", "value": "Decoy Dog RAT" }, { "description": "Cado discovered this malware, written in Go and targeting AWS Lambda environments.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.denonia", "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/", "https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html" ], "synonyms": [], "type": [] }, "uuid": "d5d9bb86-715d-4d86-a4d2-ab73085d1b0c", "value": "Denonia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi", "https://attack.mitre.org/groups/G0001/", "https://twitter.com/IntezerLabs/status/1407676522534735873?s=20", "https://attack.mitre.org/groups/G0096" ], "synonyms": [], "type": [] }, "uuid": "494dcdfb-88cb-456d-a95a-252ff10c0ba9", "value": "Derusbi (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.disgomoji", "https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/", "https://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like" ], "synonyms": [], "type": [] }, "uuid": "1f6098a1-2395-4329-8865-49602638f45a", "value": "DISGOMOJI" }, { "description": "Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo" ], "synonyms": [ "AESDDoS" ], "type": [] }, "uuid": "ffb5789f-d7e6-4723-a447-e5bb2fe713a0", "value": "Dofloo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki", "https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/", "https://www.securecoding.com/blog/all-about-doki-malware/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "a5446b35-8613-4121-ada4-c0b1d6f72851", "value": "Doki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.doublefantasy", "https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/" ], "synonyms": [], "type": [] }, "uuid": "a41d8c89-8229-4936-96c2-4b194ebaf858", "value": "DoubleFantasy (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dreambus", "https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability", "https://www.aquasec.com/blog/aqua-cndr-stop-dreambus-botnet-attack/" ], "synonyms": [], "type": [] }, "uuid": "22ff8eac-d92e-4c6e-829b-9b565d90eddd", "value": "DreamBus" }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", "https://security.web.cern.ch/security/advisories/windigo/windigo.shtml", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", "https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/", "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download", "https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf" ], "synonyms": [], "type": [] }, "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", "value": "Ebury" }, { "description": "The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.\r\n\r\nWhen it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.\r\n\r\nhttps://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot", "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", "https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/", "https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html", "https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada", "https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/" ], "synonyms": [], "type": [] }, "uuid": "040ac9c6-e3ab-4b51-88a9-5380101c74f8", "value": "Echobot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.elevator", "https://blog.lumen.com/taking-the-elevator-down-to-ring-0/" ], "synonyms": [], "type": [] }, "uuid": "6ee05063-4f73-4a99-86a5-906164039a3a", "value": "Elevator" }, { "description": "According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot", "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet", "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory", "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/", "https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers", "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux" ], "synonyms": [], "type": [] }, "uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa", "value": "EnemyBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", "value": "Erebus (ELF)" }, { "description": "Ransomware used to target ESXi servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.esxi_args", "https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/", "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", "https://www.youtube.com/watch?v=bBcvqxPdjoI", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "7550af7f-91cc-49e7-a4c5-d4e4d993cbef", "value": "ESXiArgs" }, { "description": "According to the author, Evilginx is a standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilginx", "https://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f", "https://github.com/kgretzky/evilginx2", "https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2" ], "synonyms": [], "type": [] }, "uuid": "8eee410f-0538-4a6c-897b-c6bf4f9f28d7", "value": "Evilginx" }, { "description": "According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/", "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf" ], "synonyms": [], "type": [] }, "uuid": "149e693c-4b51-4143-9061-6a8698b0e7f5", "value": "EvilGnome" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ewdoor", "https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/" ], "synonyms": [], "type": [] }, "uuid": "e75eb723-7c23-4a3b-9419-cefb88e5f6b7", "value": "EwDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "https://www.wired.com/story/sandworm-centreon-russia-hack/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://twitter.com/craiu/status/1361581668092493824", "https://attack.mitre.org/groups/G0034" ], "synonyms": [], "type": [] }, "uuid": "1e0540f3-bad3-403f-b8ed-ce40a276559e", "value": "Exaramel (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", "https://www.recordedfuture.com/chinese-cyberespionage-operations", "https://www.recordedfuture.com/chinese-cyberespionage-operations/" ], "synonyms": [], "type": [] }, "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.facefish", "https://blog.netlab.360.com/ssh_stealer_facefish_en/" ], "synonyms": [], "type": [] }, "uuid": "106487ea-a710-4546-bd62-bdbfa0b0447e", "value": "Facefish" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot", "https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html", "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/", "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/", "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html" ], "synonyms": [], "type": [] }, "uuid": "501e5434-5796-4d63-8539-d99ec48119c2", "value": "FBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://securelist.com/finspy-unseen-findings/104322/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] }, "uuid": "44018d71-25fb-4959-b61e-d7af97c85131", "value": "FinFisher (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor", "https://github.com/Thibault-69/Floodor" ], "synonyms": [], "type": [] }, "uuid": "ac30f2be-8153-4588-b29c-5e5863792930", "value": "floodor" }, { "description": "Malware used to run a DDoS botnet.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fodcha", "https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/", "https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/" ], "synonyms": [], "type": [] }, "uuid": "4a64a1ca-e5bc-4a27-bff2-1c68cea05ba7", "value": "Fodcha" }, { "description": "This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.\r\n\r\nIt comes with a rootkit as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fontonlake", "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/" ], "synonyms": [], "type": [] }, "uuid": "c530d62b-e49f-4ccf-9c87-d9f6c16617b7", "value": "FontOnLake" }, { "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog", "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/", "https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break", "https://www.akamai.com/blog/security/fritzfrog-a-new-generation-of-peer-to-peer-botnets", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/", "https://www.akamai.com/blog/security/fritzfrog-p2p", "https://www.cyberkendra.com/2024/02/fritzfrog-botnet-expands-attack-arsenal.html" ], "synonyms": [], "type": [] }, "uuid": "b43b7b4a-9cf4-4f98-b4d2-617a7d84bfa7", "value": "FritzFrog" }, { "description": "Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12", "https://blogs.juniper.net/en-us/threat-research/gitpaste-12" ], "synonyms": [], "type": [] }, "uuid": "ffd09324-b585-49c0-97e5-536d386f49a5", "value": "Gitpaste-12" }, { "description": "ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.glupteba_proxy", "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html", "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/" ], "synonyms": [], "type": [] }, "uuid": "bcfec1d3-ff29-4677-a5f6-be285e98a9db", "value": "Glupteba Proxy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gobrat", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html" ], "synonyms": [], "type": [] }, "uuid": "ddba032c-ebde-4736-b7ef-8376702dac6a", "value": "GobRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua", "https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/" ], "synonyms": [], "type": [] }, "uuid": "f3cb0a78-1608-44b1-9949-c6addf6c13ce", "value": "Godlua" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gomir", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" ], "synonyms": [], "type": [] }, "uuid": "6fb012ce-c822-471c-9c15-4c7ecfb55528", "value": "Gomir" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gosh", "https://twitter.com/IntezerLabs/status/1291355808811409408" ], "synonyms": [], "type": [] }, "uuid": "931f57f9-1edd-47b8-bf80-ae7190434558", "value": "GOSH" }, { "description": "GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gotitan", "https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq" ], "synonyms": [], "type": [] }, "uuid": "92007a5e-d408-4c95-b4c2-7b4e4e29559e", "value": "GoTitan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd", "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" ], "synonyms": [], "type": [] }, "uuid": "6aee7daf-9f63-4a70-bfe5-9c95cbdcb1e3", "value": "GreedyAntd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gwisin", "https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/" ], "synonyms": [], "type": [] }, "uuid": "c02d252d-95cc-45bc-adb6-bae51b16c55b", "value": "Gwisin (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.habitsrat", "https://twitter.com/michalmalik/status/1435918937162715139" ], "synonyms": [], "type": [] }, "uuid": "e87e7f26-f2a1-437f-8650-312050e3cd48", "value": "HabitsRAT (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hadooken", "https://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/", "https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/" ], "synonyms": [], "type": [] }, "uuid": "84e9e1ec-3676-4d64-9134-c48221c03e38", "value": "Hadooken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" ], "synonyms": [], "type": [] }, "uuid": "dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a", "value": "Haiduc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", "https://x86.re/blog/hajime-a-follow-up/", "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", "https://github.com/Psychotropos/hajime_hashes", "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", "https://par.nsf.gov/servlets/purl/10096257", "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/", "http://blog.netlab.360.com/hajime-status-report-en/", "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf" ], "synonyms": [], "type": [] }, "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", "value": "Hajime" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", "value": "Hakai" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot", "https://twitter.com/liuya0904/status/1171633662502350848" ], "synonyms": [], "type": [] }, "uuid": "0b323b91-ad57-4127-99d1-6a2485be70df", "value": "HandyMannyPot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief", "https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/", "https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/" ], "synonyms": [ "Hanthie" ], "type": [] }, "uuid": "db3e17f0-677b-4bdb-bc26-25e62a74673d", "value": "Hand of Thief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.headcrab", "https://www.aquasec.com/blog/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware/", "https://www.aquasec.com/blog/headcrab-2-0-evolving-threat-in-redis-malware-landscape/" ], "synonyms": [], "type": [] }, "uuid": "7bb684d8-ad5c-4d01-91eb-2c600dbcda2a", "value": "HeadCrab" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.helldown", "https://x.com/nextronresearch/status/1851983952409473308" ], "synonyms": [], "type": [] }, "uuid": "6dd0e6e4-536b-4271-a948-39282ff48940", "value": "HellDown" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellobot", "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://blog.exatrack.com/melofee/" ], "synonyms": [], "type": [] }, "uuid": "b9fec670-2b1e-4287-ac93-68360d5adcf4", "value": "HelloBot (ELF)" }, { "description": "Linux version of the HelloKitty ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group", "https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225" ], "synonyms": [], "type": [] }, "uuid": "785cadf7-5c99-40bc-b718-8a98d9aa90b7", "value": "HelloKitty (ELF)" }, { "description": "Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiatus_rat", "https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/", "https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/" ], "synonyms": [], "type": [] }, "uuid": "69dcee87-dc61-48d4-a6af-177396bdb850", "value": "HiatusRAT" }, { "description": "HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" ], "synonyms": [], "type": [] }, "uuid": "ae00d48d-c515-4ca9-a29c-8c53a78f8c73", "value": "HiddenWasp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", "https://blog.avast.com/hide-n-seek-botnet-continues", "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html", "https://threatlabs.avast.com/botnet", "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", "https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/", "https://blog.netlab.360.com/hns-botnet-recent-activities-en/" ], "synonyms": [ "HNS" ], "type": [] }, "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, { "description": "HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot", "https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet" ], "synonyms": [], "type": [] }, "uuid": "b10fc382-b740-417a-98fa-e23d10223958", "value": "HinataBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hipid", "https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html" ], "synonyms": [], "type": [] }, "uuid": "d55eb2f1-e24d-4b50-9839-2e53b5059bae", "value": "Hipid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hive", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", "https://arxiv.org/pdf/2202.08477.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://twitter.com/malwrhunterteam/status/1455628865229950979", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", "https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/", "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", "https://github.com/reecdeep/HiveV5_file_decryptor", "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://github.com/rivitna/Malware/tree/main/Hive", "https://twitter.com/ESETresearch/status/1454100591261667329", "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://blog.group-ib.com/hive" ], "synonyms": [], "type": [] }, "uuid": "c22452c8-c818-4577-9737-0b87342c7913", "value": "Hive (ELF)" }, { "description": "Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:\r\n* Remote shell: Execution of arbitrary shell commands on the infected router\r\n* File transfer: Upload and download files to and from the infected router.\r\n* SOCKS tunneling: Relay communication between different clients.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.horseshell", "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/" ], "synonyms": [], "type": [] }, "uuid": "9d04d96a-92fd-4731-a3b5-a3fdafd3e523", "value": "Horse Shell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hubnr", "https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet" ], "synonyms": [], "type": [] }, "uuid": "c55389b0-e778-4cf9-9030-3d1efc1224c9", "value": "Hubnr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hyperssl", "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" ], "synonyms": [ "SysUpdate" ], "type": [] }, "uuid": "263aaef5-9758-49f1-aff1-9a509f545bb3", "value": "HyperSSL (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.icefire", "https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/" ], "synonyms": [], "type": [] }, "uuid": "c03b2f7f-31ed-4133-b947-4b8846d90f19", "value": "iceFire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker", "https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/" ], "synonyms": [], "type": [] }, "uuid": "cd9f128b-6502-4e1b-a5b3-25f3c7f01ca3", "value": "Icnanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.inc", "https://twitter.com/malwrhunterteam/status/1689029459255373826", "https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/", "https://nikhilh-20.github.io/blog/inc_ransomware/", "https://x.com/MsftSecIntel/status/1836456406276342215" ], "synonyms": [], "type": [] }, "uuid": "fa3f90a3-40e3-4636-90f9-3e02bf645afd", "value": "INC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", "https://research.checkpoint.com/new-iot-botnet-storm-coming/", "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm" ], "synonyms": [ "IoTroop", "Reaper", "iotreaper" ], "type": [] }, "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", "value": "IoT Reaper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm", "https://maldbg.com/ipstorm-golang-malware-windows", "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/", "https://www.justice.gov/usao-pr/pr/russian-and-moldovan-national-pleads-guilty-operating-illegal-botnet-proxy-service", "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [ "InterPlanetary Storm" ], "type": [] }, "uuid": "a24f9c4b-1fa7-4da2-9929-064345389e67", "value": "IPStorm (ELF)" }, { "description": "ccording to Fortinet, this is a Mirai-based DDoS botnet.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iz1h9", "https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits" ], "synonyms": [], "type": [] }, "uuid": "6e98a149-9ce2-4750-9680-69f3ced5f33e", "value": "IZ1H9" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" ], "synonyms": [], "type": [] }, "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", "value": "JenX" }, { "description": "Kaden is a DDoS botnet that is heavily based on Bashlite/Gafgyt. Next to DDoS capabilities it contains wiper functionality, which currently can not be triggerred (yet). ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaden", "https://www.forescout.com/blog/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet/" ], "synonyms": [], "type": [] }, "uuid": "eebd19b4-6671-4b17-be6a-cc467e5869a5", "value": "Kaden" }, { "description": "Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji", "https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/", "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/", "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/", "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.elastic.co/security-labs/betting-on-bots" ], "synonyms": [], "type": [] }, "uuid": "33fe7943-c1b3-48d5-b287-126390b091f0", "value": "Kaiji" }, { "description": "According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day", "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf", "https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/", "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html", "https://www.lacework.com/blog/the-kek-security-network/", "https://www.lacework.com/the-kek-security-network/" ], "synonyms": [ "STD" ], "type": [] }, "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", "value": "Kaiten" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods", "https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/", "https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html", "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", "https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916", "https://blog.talosintelligence.com/2019/09/watchbog-patching.html" ], "synonyms": [], "type": [] }, "uuid": "e3787d95-2595-449e-8cf9-90845a9b7444", "value": "kerberods" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf", "https://www.mandiant.com/resources/mobileiron-log4shell-exploitation", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://twitter.com/CyberJack42/status/1501290277864046595", "https://experience.mandiant.com/trending-evil/p/1", "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/", "https://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/", "https://www.mandiant.com/resources/apt41-us-state-governments" ], "synonyms": [ "ELFSHELF" ], "type": [] }, "uuid": "2c4bfc14-3ea4-4ced-806a-fcac30b2a9d7", "value": "KEYPLUG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kfos", "https://twitter.com/r3dbU7z/status/1378564694462586880" ], "synonyms": [], "type": [] }, "uuid": "5e353bc2-4d32-409b-aeb6-c7df32607c56", "value": "kfos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces", "https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/", "https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/", "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", "https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html", "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/", "https://redcanary.com/blog/kinsing-malware-citrix-saltstack/", "https://www.aquasec.com/blog/aqua-cndr-stop-dreambus-botnet-attack/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Threat%20reports/AquaSecurity_Kinsing_Demystified_Technical_Guide.pdf", "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743", "https://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html", "https://unit42.paloaltonetworks.com/atoms/moneylibra/", "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://twitter.com/IntezerLabs/status/1259818964848386048", "https://twitter.com/MsftSecIntel/status/1535417776290111489", "https://unit42.paloaltonetworks.com/cve-2020-25213/", "https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability" ], "synonyms": [ "h2miner" ], "type": [] }, "uuid": "ef0e3a56-e614-4dc1-bb20-0dcf7215c1ea", "value": "Kinsing" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kivars", "https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html" ], "synonyms": [], "type": [] }, "uuid": "e8b24118-4ce8-471b-8683-1077a0f5f2a9", "value": "KIVARS (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos", "https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/", "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf" ], "synonyms": [], "type": [] }, "uuid": "201d54ae-7fb0-4522-888c-758fa9019737", "value": "Kobalos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.krasue_rat", "https://www.group-ib.com/blog/krasue-rat/" ], "synonyms": [], "type": [] }, "uuid": "b111325d-dd90-47cc-8777-fcb7e610a76e", "value": "Krasue RAT" }, { "description": "ELF x64 Rust downloader first discovered on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. Downloads Sliver backdoor and deletes itself.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader", "https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises" ], "synonyms": [], "type": [] }, "uuid": "1a5d8c38-42fa-4405-83fc-4e07b4407205", "value": "KrustyLoader" }, { "description": "According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ktlv_door", "https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html" ], "synonyms": [], "type": [] }, "uuid": "3ee0b08d-b872-4eda-8f8f-6d2f37b053ae", "value": "KTLVdoor (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kuiper", "https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "30ad3f49-bffd-4383-88b3-067ccfac7038", "value": "Kuiper (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", "https://news.drweb.com/news/?i=10140&lng=en" ], "synonyms": [], "type": [] }, "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", "value": "Lady" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer", "https://blog.netlab.360.com/the-leethozer-botnet-en/" ], "synonyms": [], "type": [] }, "uuid": "e9f2857a-cb91-4715-ac8b-fdc89bc9a03e", "value": "LeetHozer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lightning", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" ], "synonyms": [], "type": [] }, "uuid": "927bc8fc-fef4-4331-877d-18bcd33bdf9c", "value": "Lightning Framework" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilock", "https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/", "https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html", "https://fossbytes.com/lilocked-ransomware-infected-linux-servers/" ], "synonyms": [ "Lilocked", "Lilu" ], "type": [] }, "uuid": "1328ed0d-9c1c-418b-9a96-1c538e4893bc", "value": "LiLock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley", "https://github.com/En14c/LilyOfTheValley" ], "synonyms": [], "type": [] }, "uuid": "f789442f-8f50-4e55-8fbc-b93d22b5314e", "value": "lilyofthevalley" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.linodas", "https://research.checkpoint.com/2024/29676/" ], "synonyms": [ "DinodasRAT", "XDealer" ], "type": [] }, "uuid": "e47295eb-e907-410a-ab16-62ed8652d8bf", "value": "Linodas" }, { "description": "BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot", "https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/", "https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/" ], "synonyms": [], "type": [] }, "uuid": "3fe8f3db-4861-4e78-8b60-a794fe22ae3f", "value": "LiquorBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lockbit", "https://analyst1.com/ransomware-diaries-volume-1/", "https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group", "https://www.ic3.gov/Media/News/2022/220204.pdf", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79", "https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/", "https://github.com/prodaft/malware-ioc/tree/master/PTI-257", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/", "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", "https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation", "https://securelist.com/crimeware-report-lockbit-switchsymb/110068/", "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", "https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/", "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://security.packt.com/understanding-lockbit/", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants", "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/" ], "synonyms": [], "type": [] }, "uuid": "afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e", "value": "LockBit (ELF)" }, { "description": "Loader and Cleaner components used in attacks against high-performance computing centers in Europe.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas", "https://www.cadosecurity.com/2020/05/16/1318/", "https://twitter.com/nunohaien/status/1261281419483140096", "https://atdotde.blogspot.com/2020/05/high-performance-hackers.html" ], "synonyms": [], "type": [] }, "uuid": "6332d57c-c46f-4907-8dac-965b15ffbed6", "value": "Loerbas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/" ], "synonyms": [], "type": [] }, "uuid": "0473214a-2daa-4b5b-84bc-1bcbab11ef80", "value": "Log Collector" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw", "https://twitter.com/ddash_ct/status/1326887125103616000" ], "synonyms": [], "type": [] }, "uuid": "cfcf8608-03e7-4a5b-a46c-af342db2d540", "value": "Lootwodniw" }, { "description": "ESXi encrypting ransomware written in Rust.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.luna", "https://nikhilh-20.github.io/blog/luna_ransomware/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html" ], "synonyms": [], "type": [] }, "uuid": "bc9022d6-ee65-463f-9823-bc0f96963a75", "value": "Luna" }, { "description": "Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.manjusaka", "https://github.com/avast/ioc/tree/master/Manjusaka", "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html" ], "synonyms": [], "type": [] }, "uuid": "cd3a3a96-af66-4470-8115-b8bf3eef005a", "value": "Manjusaka (ELF)" }, { "description": "Masuta takes advantage of the EDB 38722 D-Link exploit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta", "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7", "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes", "https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/" ], "synonyms": [ "PureMasuta" ], "type": [] }, "uuid": "b9168ff8-01df-4cd0-9f70-fe9e7a11eccd", "value": "Masuta" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh", "https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/" ], "synonyms": [], "type": [] }, "uuid": "4e989704-c49f-468c-95e1-1b7c5a58b3c4", "value": "Matryosh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.melofee", "https://asec.ahnlab.com/en/55785/", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://blog.exatrack.com/melofee/" ], "synonyms": [ "Mélofée" ], "type": [] }, "uuid": "1ffd85bd-389c-4e04-88fd-8186423c3691", "value": "Melofee" }, { "description": "MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html", "https://attack.mitre.org/groups/G0096", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "a07d6748-3557-41ac-b55b-f4348dc2a3c7", "value": "MESSAGETAP" }, { "description": "A x64 ELF file infector with non-destructive payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim", "https://www.guitmz.com/linux-midrashim-elf-virus/", "https://github.com/guitmz/midrashim" ], "synonyms": [], "type": [] }, "uuid": "fe220358-7118-4feb-b43e-cbdaf2ea09dc", "value": "Midrashim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", "https://securitykitten.github.io/2016/12/14/mikey.html", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md" ], "synonyms": [], "type": [] }, "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", "value": "MiKey" }, { "description": "Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means \"future\" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on \"Hack Forums\" many variants of the Mirai family appeared, infecting mostly home networks all around the world.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", "https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html", "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/", "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot", "https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html", "https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign", "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/", "https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/", "https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/", "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html", "https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/", "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/", "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", "https://blog.xlab.qianxin.com/mirai-nomi-en/", "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", "https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18", "https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", "https://synthesis.to/2021/06/30/automating_string_decryption.html", "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", "https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/", "https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/", "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://github.com/jgamblin/Mirai-Source-Code", "https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/", "https://isc.sans.edu/diary/22786", "https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/", "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", "https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/", "https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability", "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", "https://unit42.paloaltonetworks.com/cve-2020-17496/", "https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/", "https://www.youtube.com/watch?v=KVJyYTie-Dc", "https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/", "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", "https://deform.co/the-infamous-mirai-trojan-evolves-new-pandora-variant-targets-android-tvs/", "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", "http://osint.bambenekconsulting.com/feeds/", "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", "https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai", "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html", "https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants", "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", "https://community.riskiq.com/article/d8a78daf", "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", "https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/", "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet", "https://twitter.com/MsftSecIntel/status/1535417776290111489", "https://cert.gov.ua/article/37139" ], "synonyms": [ "Katana" ], "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", "value": "Mirai (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.momentum", "https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html" ], "synonyms": [], "type": [] }, "uuid": "aaf8ce1b-3117-47c6-b756-809538ac8ff2", "value": "Momentum" }, { "description": "A ransomware, derived from the leaked Conti source code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.monti", "https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html", "https://resources.prodaft.com/wazawaka-report" ], "synonyms": [], "type": [] }, "uuid": "7df77b77-00dd-4eba-a697-b9a7be262acc", "value": "Monti" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot", "https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b", "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian", "https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF", "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", "https://blog.netlab.360.com/ddos-botnet-moobot-en/", "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/", "https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability", "https://unit42.paloaltonetworks.com/moobot-d-link-devices/" ], "synonyms": [], "type": [] }, "uuid": "cd8deffe-eb0b-4451-8a13-11f6d291064a", "value": "MooBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf", "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/" ], "synonyms": [], "type": [] }, "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", "value": "Moose" }, { "description": "Mozi is a IoT botnet, that makes use of P2P for communication and reuses source code of other well-known malware families, including Gafgyt, Mirai, and IoT Reaper.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", "https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/", "https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet", "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/", "https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave", "https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/", "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/", "https://blog.netlab.360.com/mozi-another-botnet-using-dht/", "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/", "https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/", "https://www.youtube.com/watch?v=cDFO_MRlg3M", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/" ], "synonyms": [], "type": [] }, "uuid": "236ba358-4c70-434c-a7ac-7a31e76c398a", "value": "Mozi" }, { "description": "MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.\r\n\r\nMrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", "https://news.drweb.com/?i=5760&c=23&lng=en", "https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", "https://blog.syscall.party/post/aes-ddos-analysis-part-1/", "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf" ], "synonyms": [ "AESDDoS", "Dofloo" ], "type": [] }, "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", "value": "MrBlack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mumblehard", "https://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf" ], "synonyms": [], "type": [] }, "uuid": "5f78127b-25d3-4f86-8a64-f9549b2db752", "value": "Mumblehard" }, { "description": "Ransomware used against Linux servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry", "https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/" ], "synonyms": [], "type": [] }, "uuid": "7ec8a41f-c72e-4832-a5a4-9d7380cea083", "value": "Nextcry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb", "https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/", "https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/", "https://twitter.com/IntezerLabs/status/1324346324683206657" ], "synonyms": [], "type": [] }, "uuid": "a4ad242c-6fd0-4b1d-8d97-8f48150bf242", "value": "Ngioweb (ELF)" }, { "description": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nimbo_c2", "https://github.com/itaymigdal/Nimbo-C2" ], "synonyms": [], "type": [] }, "uuid": "5dbdf2ea-a15b-4ad6-bf7a-a030998c66b4", "value": "Nimbo-C2 (ELF)" }, { "description": "Golang-based RAT that offers execution of shell commands and download+run capability. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.niub", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/" ], "synonyms": [], "type": [] }, "uuid": "7c516b66-f4a4-406a-bf35-d898ac8bffec", "value": "NiuB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.noabot", "https://nikhilh-20.github.io/blog/noabot_botnet/", "https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining" ], "synonyms": [], "type": [] }, "uuid": "b5ee45a0-d75b-40e7-b737-3cfa1cc8246c", "value": "NoaBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.noodrat", "https://asec.ahnlab.com/en/62144/" ], "synonyms": [], "type": [] }, "uuid": "59ac87c0-f2ce-4e83-83bd-299e123b72a7", "value": "Nood RAT" }, { "description": "According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique \"key\" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices. \r\n\r\nThe malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nosedive", "https://assets.lumen.com/is/content/Lumen/raptor-train-handbook-copy", "https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF", "https://blog.lumen.com/derailing-the-raptor-train/", "https://www.justice.gov/d9/2024-09/redacted_24-mj-1484_signed_search_and_seizure_warrant_for_disclosure.pdf" ], "synonyms": [], "type": [] }, "uuid": "13840bb0-494d-403e-a37d-65cf144d71e9", "value": "Nosedive" }, { "description": "FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin", "https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/", "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/", "https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html", "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [ "remove_bds" ], "type": [] }, "uuid": "aaeb76b3-3885-4dc6-9501-4504fed9f20b", "value": "NOTROBIN" }, { "description": "According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.orbit", "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" ], "synonyms": [], "type": [] }, "uuid": "ae9d84f2-60e5-4a33-98f4-a0061938ec6d", "value": "OrBit" }, { "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", "https://twitter.com/hrbrmstr/status/1019922651203227653", "https://twitter.com/360Netlab/status/1019759516789821441", "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", "https://twitter.com/ankit_anubhav/status/1019647993547550720", "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/", "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html" ], "synonyms": [], "type": [] }, "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", "value": "Owari" }, { "description": "According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r", "https://www.vargroup.it/wp-content/uploads/2019/10/ReverseEngineering_SecurityReport_EN_2019.10.16-2.pdf" ], "synonyms": [], "type": [] }, "uuid": "cc48c6ae-d274-4ad0-b013-bd75041a20c8", "value": "p0sT5n1F3r" }, { "description": "P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect", "https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/", "https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer", "https://www.cadosecurity.com/redis-p2pinfect/", "https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/", "https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/", "https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform" ], "synonyms": [], "type": [] }, "uuid": "31a32308-7034-4419-b1f3-56a4d64b4358", "value": "P2Pinfect" }, { "description": "P2P botnet derived from the Mirai source code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot", "https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html" ], "synonyms": [], "type": [] }, "uuid": "7aff049d-9326-466d-bbcc-d62da673b32c", "value": "pbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", "https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", "https://lab52.io/blog/looking-for-penquins-in-the-wild/", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", "https://twitter.com/juanandres_gs/status/944741575837528064", "https://www.youtube.com/watch?v=JXsjRUxx47E", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", "value": "Penquin Turla" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perfctl", "https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/", "https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking" ], "synonyms": [ "perfcc" ], "type": [] }, "uuid": "5a4408f2-6ee3-4c82-9ee2-a1b4290666be", "value": "perfctl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", "https://sysdig.com/blog/malware-analysis-shellbot-sysdig/", "https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/", "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/", "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://twitter.com/Nocturnus/status/1308430959512092673", "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf", "https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/", "https://unit42.paloaltonetworks.com/cve-2020-17496/", "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/", "https://asec.ahnlab.com/en/49769/", "https://asec.ahnlab.com/en/54647/", "https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/" ], "synonyms": [ "DDoS Perl IrcBot", "ShellBot" ], "type": [] }, "uuid": "24b77c9b-7e7e-4192-8161-b6727728170f", "value": "PerlBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" ], "synonyms": [], "type": [] }, "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pg_mem", "https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/" ], "synonyms": [], "type": [] }, "uuid": "74ffa404-9082-4db9-ac19-18a875db9fe7", "value": "PG_MEM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pigmy_goat", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf" ], "synonyms": [], "type": [] }, "uuid": "fcdcdc68-4c82-4d3d-aef1-96eac0a62761", "value": "PigmyGoat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pingpull", "https://unit42.paloaltonetworks.com/alloy-taurus/", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "synonyms": [], "type": [] }, "uuid": "65a7944c-15d9-4ca5-8561-7c97b18684c8", "value": "PingPull" }, { "description": "A botnet with P2P and centralized C&C capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pink", "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/", "https://blog.netlab.360.com/pink-en/" ], "synonyms": [], "type": [] }, "uuid": "67063764-a47c-4058-9cb2-1685ffa14fe8", "value": "Pink" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020" ], "synonyms": [], "type": [] }, "uuid": "de3c14aa-f9f4-4071-8e6e-a2c16a3394ad", "value": "PLEAD (ELF)" }, { "description": "Part of Mythic C2, written in Golang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.poseidon", "https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/", "https://github.com/MythicAgents/poseidon", "https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/", "https://cert.gov.ua/article/6123309" ], "synonyms": [], "type": [] }, "uuid": "ad796632-2595-4ae5-a563-b92197210d61", "value": "Poseidon (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism", "https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar" ], "synonyms": [ "waterdrop" ], "type": [] }, "uuid": "9a4a866b-84a9-4778-8de8-2780a27c0597", "value": "PRISM" }, { "description": "Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.privet_sanya", "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/" ], "synonyms": [], "type": [] }, "uuid": "41e5aafb-5847-421e-813d-627414ee31bb", "value": "PrivetSanya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei", "https://twitter.com/IntezerLabs/status/1338480158249013250", "https://cujo.com/iot-malware-journals-prometei-linux/", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html", "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "b6899bda-54e9-4953-8af5-22af39776b69", "value": "Prometei (ELF)" }, { "description": "Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean", "https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/", "https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/" ], "synonyms": [], "type": [] }, "uuid": "aa918c10-e5c7-4abd-b8c0-3c938a6675f5", "value": "Pro-Ocean" }, { "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] }, "uuid": "92a1288f-cc4d-47ca-8399-25fe5a39cf2d", "value": "pupy (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qilin", "https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/", "https://twitter.com/malwrhunterteam/status/1724521714845937822" ], "synonyms": [], "type": [] }, "uuid": "d97af6c5-640f-46b4-943c-0e8940f8011e", "value": "Qilin" }, { "description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/", "https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/", "https://www.qnap.com/en/security-advisory/QSA-20-02", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", "https://www.ibm.com/downloads/cas/Z81AVOY7", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/", "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf", "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/", "https://www.anomali.com/blog/the-ech0raix-ransomware" ], "synonyms": [ "eCh0raix" ], "type": [] }, "uuid": "a0b12e5f-0257-41f1-beda-001ad944c4ca", "value": "QNAPCrypt" }, { "description": "The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf", "https://bin.re/blog/the-dga-of-qsnatch/", "https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices", "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-209a" ], "synonyms": [], "type": [] }, "uuid": "48389957-30e2-4747-b4c6-8b8a9f15250f", "value": "QSnatch" }, { "description": "Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit", "https://www.mandiant.com/resources/unc3524-eye-spy-email", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023" ], "synonyms": [], "type": [] }, "uuid": "6a5ab9ca-944c-4187-bdef-308516745d18", "value": "QUIETEXIT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" ], "synonyms": [], "type": [] }, "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", "value": "r2r2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ragnarlocker", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1", "https://twitter.com/malwrhunterteam/status/1475568201673105409", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "5f96787e-fc9f-486b-a15f-f46c8179a4d5", "value": "RagnarLocker (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22", "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" ], "synonyms": [], "type": [] }, "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", "value": "Rakos" }, { "description": "According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf", "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://www.sentinelone.com/anthology/ransomexx/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.youtube.com/watch?v=qxPXxWMI2i4", "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195", "https://securityintelligence.com/x-force/ransomexx-upgrades-rust/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout" ], "synonyms": [ "Defray777" ], "type": [] }, "uuid": "946814a1-957c-48ce-9068-fdef24a025bf", "value": "RansomEXX (ELF)" }, { "description": "According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx2", "https://securityintelligence.com/x-force/ransomexx-upgrades-rust/" ], "synonyms": [], "type": [] }, "uuid": "c6d750d5-fa47-4fcb-9d24-2682036fc6e5", "value": "RansomExx2" }, { "description": "A Mirai derivate bruteforcing SSH servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rapper_bot", "https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery", "https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/", "https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks" ], "synonyms": [], "type": [] }, "uuid": "914c94eb-38e2-4cb8-a62b-21fbe9c48496", "value": "RapperBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet", "https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/" ], "synonyms": [], "type": [] }, "uuid": "8dee025b-2233-4cd8-af02-fcdcd40b378f", "value": "RaspberryPiBotnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin", "https://github.com/Thibault-69/RAT-Hodin-v2.5" ], "synonyms": [], "type": [] }, "uuid": "6aacf515-de49-4afc-a135-727c9beaab0b", "value": "rat_hodin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv", "https://github.com/Thibault-69/Remote_Shell" ], "synonyms": [], "type": [] }, "uuid": "a08d9f8b-2cc5-48c2-8cce-ee713bcdc4b7", "value": "rbs_srv" }, { "description": "RedTail is a cryptomining malware, which is based on the open-source XMRIG mining software. It is being spread via known vulnerabilities such as:\r\n- CVE-2024-3400 \r\n- CVE-2023-46805\r\n- CVE-2024-21887\r\n- CVE-2023-1389\r\n- CVE-2022-22954\r\n- CVE-2018-20062", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.redtail", "https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit" ], "synonyms": [], "type": [] }, "uuid": "ba89a509-ff8e-446b-867c-7f15efe0477f", "value": "RedTail" }, { "description": "RedXOR is a sophisticated backdoor targeting Linux systems disguised as polkit daemon and utilizing network data encoding based on XOR. Believed to be developed by Chinese nation-state actors, this malware shows similarities to other malware associated with the Winnti umbrella threat group. \r\n\r\nRedXOR uses various techniques such as open-source LKM rootkits, Python pty shell, and network data encoding with XOR. It also employs persistence methods and communication with a Command and Control server over HTTP. \r\n\r\nThe malware can execute various commands including system information collection, updates, shell commands, and network tunneling. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.redxor", "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/" ], "synonyms": [], "type": [] }, "uuid": "421b2ec7-d4e6-4fc8-9bd3-55fe26337aae", "value": "RedXOR" }, { "description": "Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.red_alert", "https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/" ], "synonyms": [ "N13V" ], "type": [] }, "uuid": "12137c8d-d3f4-44fe-b25e-2fb5f90cecce", "value": "RedAlert Ransomware" }, { "description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe", "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt", "https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users", "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://asec.ahnlab.com/en/55229/", "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/", "https://vms.drweb.com/virus/?i=7754026&lng=en", "https://sansec.io/research/rekoobe-fishpig-magento", "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/", "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/", "https://twitter.com/billyleonard/status/1458531997576572929" ], "synonyms": [], "type": [] }, "uuid": "48b9a9fd-4c1a-428a-acc0-40b1a3fa7590", "value": "Rekoobe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile", "https://asec.ahnlab.com/en/55785/", "https://github.com/f0rb1dd3n/Reptile", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", "https://dfir.ch/posts/reptile_launcher/", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf" ], "synonyms": [], "type": [] }, "uuid": "934478a1-1243-4c26-8360-be3d01ae193e", "value": "reptile" }, { "description": "ELF version of win.revil targeting VMware ESXi hypervisors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil", "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.youtube.com/watch?v=ptbNMlWxYnE", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://malienist.medium.com/revix-linux-ransomware-d736956150d0", "https://home.treasury.gov/news/press-releases/jy0471", "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.flashpoint-intel.com/blog/revil-disappears-again/", "https://threatpost.com/ransomware-revil-sites-disappears/167745/", "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", "https://www.bbc.com/news/technology-59297187", "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", "https://ke-la.com/will-the-revils-story-finally-be-over/", "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", "https://twitter.com/IntezerLabs/status/1452980772953071619", "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", "https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5", "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", "https://twitter.com/VK_Intel/status/1409601311092490248", "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", "https://github.com/f0wl/REconfig-linux", "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.youtube.com/watch?v=mDUMpYAOMOo", "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://angle.ankura.com/post/102hcny/revix-linux-ransomware", "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", "https://twitter.com/VK_Intel/status/1409601311092490248?s=20", "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", "https://analyst1.com/file-assets/History-of-REvil.pdf" ], "synonyms": [ "REvix" ], "type": [] }, "uuid": "d9d76456-01a3-4dcd-afc2-87529e00c1ba", "value": "REvil (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" ], "synonyms": [], "type": [] }, "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", "value": "Rex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus", "https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/" ], "synonyms": [], "type": [] }, "uuid": "af886910-9a0b-478e-b53d-54c8a103acb4", "value": "RHOMBUS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhysida", "https://twitter.com/malwrhunterteam/status/1724165711356993736", "https://www.shadowstackre.com/analysis/rhysida", "https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation" ], "synonyms": [], "type": [] }, "uuid": "1dbd7cbb-960d-4ef4-9520-1748fb7cd4c6", "value": "Rhysida (ELF)" }, { "description": "P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.roboto", "https://blog.netlab.360.com/the-awaiting-roboto-botnet-en", "https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin" ], "synonyms": [], "type": [] }, "uuid": "e18bf514-b978-4bef-b4d9-834a5100fced", "value": "Roboto" }, { "description": "RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021.\r\nThe malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro", "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/", "https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro", "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" ], "synonyms": [], "type": [] }, "uuid": "66fb7b48-60f2-44fc-9cbe-f70e776d058b", "value": "RotaJakiro" }, { "description": "According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.royal_ransom", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://unit42.paloaltonetworks.com/royal-ransomware/", "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/" ], "synonyms": [ "Royal", "Royal_unix" ], "type": [] }, "uuid": "4e29dae1-5a8c-4b3c-81dc-dcc0fdd3c93a", "value": "Royal Ransom (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rshell", "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html" ], "synonyms": [], "type": [] }, "uuid": "4947e9d3-aa13-4359-ac43-c1c436c409c9", "value": "Rshell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rude_devil", "https://www.elastic.co/security-labs/betting-on-bots" ], "synonyms": [], "type": [] }, "uuid": "923ee959-4ea5-46c5-8926-84e41ca77ca4", "value": "RudeDevil" }, { "description": "According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as \"Channels\" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.saltwater", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "synonyms": [], "type": [] }, "uuid": "d55ea436-b2c1-400c-99dc-6e35bc05438b", "value": "SALTWATER" }, { "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", "https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/", "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" ], "synonyms": [], "type": [] }, "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", "value": "Satori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sbidiot", "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/", "https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/", "https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/" ], "synonyms": [], "type": [] }, "uuid": "b4c20cf4-8e94-4523-8d48-7781aab6785d", "value": "SBIDIOT" }, { "description": "According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.\r\nThe malware is based on an open-source backdoor program named \"cd00r\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.seaspy", "https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", "https://www.cisa.gov/news-events/analysis-reports/ar23-209b" ], "synonyms": [], "type": [] }, "uuid": "a6699c42-69d8-4bdd-8dd9-72f4c80efefa", "value": "SEASPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sedexp", "https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp" ], "synonyms": [], "type": [] }, "uuid": "4e71e8ab-a34a-494f-814d-cc983a2de463", "value": "sedexp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" ], "synonyms": [], "type": [] }, "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", "value": "ShellBind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" ], "synonyms": [], "type": [] }, "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", "value": "Shishiga" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sidewalk", "https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", "https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401" ], "synonyms": [], "type": [] }, "uuid": "ec994efc-a8a4-4e92-ada2-e37d421baf01", "value": "SideWalk (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.silex", "https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/" ], "synonyms": [ "silexbot" ], "type": [] }, "uuid": "bf059cb4-f73a-4181-bf71-d8da7bf50dd8", "value": "Silex" }, { "description": "SimpleTea for Linux is an HTTP(S) RAT. \r\n\r\nIt was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.\r\n\r\nIt’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.\r\n\r\nIt supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.\r\n\r\nSimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.simpletea", "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf" ], "synonyms": [ "PondRAT", "SimplexTea" ], "type": [] }, "uuid": "e8695701-8055-4b98-bcb6-e4bb7e0a3346", "value": "SimpleTea (ELF)" }, { "description": "According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick", "https://www.mandiant.com/resources/unc2891-overview", "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" ], "synonyms": [], "type": [] }, "uuid": "fb3e0a1d-3a98-4cbd-ad7f-4bbb4b9a8351", "value": "SLAPSTICK" }, { "description": "According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.snappy_tcp", "https://www.huntandhackett.com/blog/turkish-espionage-campaigns", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html", "https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/" ], "synonyms": [], "type": [] }, "uuid": "72e045be-eba2-4571-9c6e-7d35add3d2f8", "value": "SnappyTCP" }, { "description": "This is an implant used by APT31 on home routers to utilize them as ORBs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sowat", "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", "https://twitter.com/billyleonard/status/1417910729005490177", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://twitter.com/bkMSFT/status/1417823714922610689", "https://imp0rtp3.wordpress.com/2021/11/25/sowat/" ], "synonyms": [], "type": [] }, "uuid": "c2866996-d622-4ee2-b548-a6598836e5ae", "value": "SoWaT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", "https://cis.verint.com/2016/11/08/spamtorte-version-2/" ], "synonyms": [], "type": [] }, "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", "value": "Spamtorte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup", "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" ], "synonyms": [], "type": [] }, "uuid": "3ccd3143-c34d-4680-94b9-2cc4fa4f86fa", "value": "SpeakUp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter", "https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/", "https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/" ], "synonyms": [], "type": [] }, "uuid": "b9ed5797-b591-4ca9-ba77-ce86308e333a", "value": "Specter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spectral_blur", "https://twitter.com/X__Junior/status/1743193763000828066" ], "synonyms": [], "type": [] }, "uuid": "a14e7ea4-668c-4990-a1a9-be99722f88f7", "value": "SpectralBlur (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" ], "synonyms": [], "type": [] }, "uuid": "df23ae3a-e10d-4c49-b379-2ea2fd1925af", "value": "Speculoos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks", "https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "3b5c485b-b6a6-4586-a7dc-9e23a3b0aa5a", "value": "SprySOCKS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/", "https://www.trendmicro.com/en_in/research/24/e/router-roulette.html", "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" ], "synonyms": [], "type": [] }, "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", "value": "SSHDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/", "https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/", "https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/", "https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/", "https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", "value": "Stantinko" }, { "description": "According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi", "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/", "https://www.mandiant.com/resources/unc2891-overview", "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" ], "synonyms": [], "type": [] }, "uuid": "21ff33b5-ef21-4263-8747-7de3d2dbdde6", "value": "STEELCORGI" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless", "https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/" ], "synonyms": [], "type": [] }, "uuid": "d03fa69b-53a4-4f61-b800-87e4246d2656", "value": "Sunless" }, { "description": "Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes", "https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/" ], "synonyms": [], "type": [] }, "uuid": "5c117b01-826b-4656-b6ca-8b18b6e6159f", "value": "sustes miner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.suterusu", "https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/" ], "synonyms": [ "HCRootkit" ], "type": [] }, "uuid": "d2748a0c-8739-4006-95c4-bdf6350d7fa9", "value": "Suterusu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sword2033", "https://unit42.paloaltonetworks.com/alloy-taurus/", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "synonyms": [], "type": [] }, "uuid": "9c1a32c7-45b4-4d3a-9d15-300b353f32a7", "value": "Sword2033" }, { "description": "A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.symbiote", "https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat", "https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html", "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote", "https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/" ], "synonyms": [], "type": [] }, "uuid": "4339d876-768c-4cdf-941f-3f55a08aafca", "value": "Symbiote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysjoker", "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html", "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/" ], "synonyms": [], "type": [] }, "uuid": "c4b681ec-f5b5-433a-9314-07e06f739ba2", "value": "SysJoker (ELF)" }, { "description": "Cryptojacking botnet", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysrvhello", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.lacework.com/sysrv-hello-expands-infrastructure/", "https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/", "https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet", "https://dfir.ch/posts/sysrv/" ], "synonyms": [ "Sysrv" ], "type": [] }, "uuid": "d471083a-c8e1-4d9b-907e-685c9a75c1f9", "value": "Sysrv-hello (ELF)" }, { "description": "Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", "https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server", "https://www.aquasec.com/blog/fileless-malware-container-security/", "https://unit42.paloaltonetworks.com/atoms/adept-libra/", "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf", "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", "https://unit42.paloaltonetworks.com/atoms/thieflibra/", "https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/", "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/", "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", "https://www.aquasec.com/blog/container-attacks-on-redis-servers/", "https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html", "https://tolisec.com/active-crypto-mining-operation-by-teamtnt/", "https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools", "https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/", "https://www.aquasec.com/blog/container-security-tnt-container-attack/", "https://sysdig.com/blog/teamtnt-aws-credentials/" ], "synonyms": [], "type": [] }, "uuid": "24695f84-d3af-477e-92dd-c05c9536ebf5", "value": "TeamTNT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.themoon", "https://blog.lumen.com/a-new-phase-of-themoon/", "https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers", "https://blog.lumen.com/the-darkside-of-themoon", "https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902" ], "synonyms": [], "type": [] }, "uuid": "ed098719-797b-4cb3-a73c-65b6d08ebdfa", "value": "TheMoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger", "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/" ], "synonyms": [], "type": [] }, "uuid": "00319b53-e31c-4623-a3ac-9a18bc52bf36", "value": "TNTbotinger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", "https://blog.avast.com/new-torii-botnet-threat-research" ], "synonyms": [], "type": [] }, "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", "value": "Torii" }, { "description": "According to its author, TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.triplecross", "https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/", "https://github.com/h3xduck/TripleCross" ], "synonyms": [], "type": [] }, "uuid": "a462c60d-a7f9-4a05-aaa1-be415870310e", "value": "TripleCross" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", "http://paper.seebug.org/345/" ], "synonyms": [], "type": [] }, "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", "value": "Trump Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", "https://twitter.com/ESETresearch/status/1382054011264700416", "https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" ], "synonyms": [], "type": [] }, "uuid": "592f7cc6-1e07-4d83-8082-aef027e9f1e2", "value": "TSCookie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsh", "https://github.com/creaktive/tsh" ], "synonyms": [], "type": [] }, "uuid": "95a07de2-0e17-48a7-b935-0c1c0c0e39af", "value": "tsh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", "https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers", "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", "https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", "https://sysdig.com/blog/muhstik-malware-botnet-analysis/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server", "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/", "https://blog.aquasec.com/fileless-malware-container-security", "https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure", "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134", "https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/", "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", "https://asec.ahnlab.com/en/54647/", "http://get.cyberx-labs.com/radiation-report", "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", "https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/", "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "https://www.aquasec.com/blog/container-security-tnt-container-attack/", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775" ], "synonyms": [ "Amnesia", "Muhstik", "Radiation" ], "type": [] }, "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", "value": "Tsunami (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat", "https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html", "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html" ], "synonyms": [], "type": [] }, "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", "value": "Turla RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" ], "synonyms": [ "Espeon" ], "type": [] }, "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", "value": "Umbreon" }, { "description": "According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001", "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability" ], "synonyms": [], "type": [] }, "uuid": "b5b59d9f-f9e2-4201-a017-f2bae0470808", "value": "Unidentified Linux 001" }, { "description": "Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool (\"unifi-video\") related to Ubiquiti UniFi surveillance cameras. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_004", "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/" ], "synonyms": [], "type": [] }, "uuid": "44a57915-2ec0-476f-9f20-b11082f5b5a4", "value": "Unidentified ELF 004" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_005", "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/", "https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/" ], "synonyms": [], "type": [] }, "uuid": "d49402b3-9f2a-4d9a-ae09-b1509da2e8fd", "value": "Unidentified 005 (Sidecopy)" }, { "description": "Enables remote execution of scripts on a host, communicates via Tox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_006", "https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers" ], "synonyms": [], "type": [] }, "uuid": "61a36688-0a4f-4899-8b17-ca0d5ff7e800", "value": "Unidentified ELF 006 (Tox Backdoor)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vault8_hive", "https://github.com/infoskirmish/hive", "https://wikileaks.org/vault8/" ], "synonyms": [], "type": [] }, "uuid": "721fa6d1-da73-4dd4-9154-a60ff4607467", "value": "Hive (Vault 8)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/", "https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html" ], "synonyms": [], "type": [] }, "uuid": "a4ded098-be7b-4852-adfd-8971ace583f1", "value": "Vermilion Strike (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", "https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html", "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html", "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter", "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", "https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf", "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware", "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf" ], "synonyms": [], "type": [] }, "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", "value": "VPNFilter" }, { "description": "According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog", "https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/" ], "synonyms": [], "type": [] }, "uuid": "aa00d8c9-b479-4d05-9887-cd172a11cfc9", "value": "WatchBog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "93ffafbd-a8af-4164-b3ab-9b21e6d09232", "value": "WellMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-116a", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://community.riskiq.com/article/541a465f/description", "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", "value": "elf.wellmess" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.whirlpool", "https://services.google.com/fh/files/misc/01-chinese-espionage-article-m-trends-2024.pdf", "https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0" ], "synonyms": [], "type": [] }, "uuid": "be3a5211-45a8-496a-974f-6ef14f44af3d", "value": "WHIRLPOOL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.whiterabbit", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.WHITERABBIT.YACAET", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/" ], "synonyms": [], "type": [] }, "uuid": "901b88e6-4759-4aa6-b4d1-9f7da53c2adf", "value": "WhiteRabbit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti", "https://asec.ahnlab.com/en/55785/", "https://attack.mitre.org/groups/G0096", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://blog.exatrack.com/melofee/", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas" ], "synonyms": [], "type": [] }, "uuid": "d6c5211e-506d-415c-b886-0ced529399a1", "value": "Winnti (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", "https://news.drweb.com/show/?i=2679&lng=en&c=14", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html" ], "synonyms": [], "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", "value": "Wirenet (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", "https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "synonyms": [ "chopstick", "fysbis", "splm" ], "type": [] }, "uuid": "a8404a31-968a-47e8-8434-533ceaf84c1f", "value": "X-Agent (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe", "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html", "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775" ], "synonyms": [], "type": [] }, "uuid": "55b4d75f-adcc-47df-81cf-6c93ccb54a56", "value": "Xanthe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", "https://twitter.com/michalmalik/status/846368624147353601" ], "synonyms": [], "type": [] }, "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", "value": "Xaynnalc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://unit42.paloaltonetworks.com/atoms/agedlibra/" ], "synonyms": [], "type": [] }, "uuid": "ee54fc1e-c574-4836-8cdb-992ac38cef32", "value": "Xbash" }, { "description": "According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xdr33", "https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/" ], "synonyms": [], "type": [] }, "uuid": "c7b1cc91-7464-436e-ac40-3b06c98400a5", "value": "xdr33" }, { "description": "Linux DDoS C&C Malware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", "https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf", "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/", "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/", "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/", "https://en.wikipedia.org/wiki/Xor_DDoS", "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html", "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", "https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/", "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/" ], "synonyms": [ "XORDDOS" ], "type": [] }, "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", "value": "XOR DDoS" }, { "description": "Zergeca is a DDoS-botnet and backdoor written in Golang. It uses modified UPX for packing, with the magic number 0x30219101 instead of \"UPX!\". It is being distributed via weak telnet passwords and known vulnerabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zergeca", "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet" ], "synonyms": [], "type": [] }, "uuid": "a660eeda-910a-4df5-86ba-f17d8ac93c31", "value": "Zergeca" }, { "description": "ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zerobot", "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/" ], "synonyms": [ "ZeroStresser" ], "type": [] }, "uuid": "458c583b-4353-4104-bee8-9e68cb77f151", "value": "ZeroBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zhtrap", "https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/" ], "synonyms": [], "type": [] }, "uuid": "d070ff73-ad14-4f6b-951f-1645009bdf80", "value": "ZHtrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" ], "synonyms": [ "darlloz" ], "type": [] }, "uuid": "9218630d-0425-4b18-802c-447a9322990d", "value": "Zollard" }, { "description": "According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zuo_rat", "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "synonyms": [], "type": [] }, "uuid": "c4b0a7cd-b349-44a1-94ca-3d5a4ac288b2", "value": "ZuoRAT" }, { "description": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad", "https://github.com/Hopfengetraenk/Fas-Disasm", "https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft" ], "synonyms": [ "Acad.Bursted", "Duxfas" ], "type": [] }, "uuid": "fb22d876-c6b5-4634-a468-5857088d605c", "value": "AutoCAD Downloader" }, { "description": "According to Google, this is a cookie stealer", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.cookiesnatch", "https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/" ], "synonyms": [], "type": [] }, "uuid": "1b2d02d7-aa83-4101-ab10-2767b59c9c75", "value": "COOKIESNATCH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "f7c1675f-b38a-4511-9ac4-6e475b3815e6", "value": "DualToy (iOS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" ], "synonyms": [], "type": [] }, "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", "value": "GuiInject" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy", "https://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior", "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf", "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" ], "synonyms": [], "type": [] }, "uuid": "8a1b524b-8fc9-4b1d-805d-c0407aff00d7", "value": "lightSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.phenakite", "https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html" ], "synonyms": [ "Dakkatoni" ], "type": [] }, "uuid": "7ba7488c-b153-4949-8391-bcf6c4b057bd", "value": "Phenakite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.poisoncarp", "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/" ], "synonyms": [ "INSOMNIA" ], "type": [] }, "uuid": "7982cc15-f884-40ca-8a82-a452b9c340c7", "value": "PoisonCarp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.postlo", "https://twitter.com/opa334dev/status/1374754519268098051" ], "synonyms": [], "type": [] }, "uuid": "25bff9ad-20dc-4746-a174-e54fcdd8f0c1", "value": "Postlo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.triangledb", "https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers", "https://securelist.com/operation-triangulation-catching-wild-triangle/110916/", "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/", "https://securelist.com/triangulation-validators-modules/110847/", "https://securelist.com/triangledb-triangulation-implant/110050/" ], "synonyms": [], "type": [] }, "uuid": "25754894-018b-4bed-aab6-c676fac23a77", "value": "TriangleDB" }, { "description": "According to Google, this reconnaissance payload uses a profiling framework drawing canvas to identify the target’s exact iPhone model, a technique used by many other actors. The iPhone model is sent back to the C2 along with screen size, whether or not a touch screen is present, and a unique identifier per initial GET request (e.g., 1lwuzddaxoom5ylli37v90kj).\r\nThe server replies with either an AES encrypted next stage or 0, indicating that no payload is available for this device. The payload makes another request to the exploit server with gcr=1 as a parameter to get the AES decryption key from the C2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.validvictor", "https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/" ], "synonyms": [], "type": [] }, "uuid": "16c0e484-7d03-46f4-870a-297d5397d693", "value": "VALIDVICTOR" }, { "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bb340271-023c-4283-9d22-123317824a11", "value": "WireLurker (iOS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.xagent", "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/", "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], "type": [] }, "uuid": "430b9f30-5e37-49c8-b4e7-21589f120d89", "value": "X-Agent (iOS)" }, { "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", "https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/", "https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/", "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat", "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "http://malware-traffic-analysis.net/2017/07/04/index.html", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "AlienSpy", "Frutas", "JBifrost", "JSocket", "Sockrat", "UNRECOM" ], "type": [] }, "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adzok", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [], "type": [] }, "uuid": "90cb8ee6-52e6-4d8d-8f45-f04b9aec1f6c", "value": "Adzok" }, { "description": "F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload", "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf", "https://colin.guru/index.php?title=Advanced_Banload_Analysis", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "30a61fa9-4bd1-427d-9382-ff7c33bd7043", "value": "Banload" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.bluebanana", "https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community" ], "synonyms": [], "type": [] }, "uuid": "c51bbc9b-0906-4ac5-8026-d6b8b7b23e71", "value": "Blue Banana RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", "https://objective-see.com/blog/blog_0x28.html", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Trupto" ], "type": [] }, "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, { "description": "DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.dynamicrat", "https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694" ], "synonyms": [ "DYNARAT" ], "type": [] }, "uuid": "28539c3d-89a4-4dd6-85f5-f4c95808c0b7", "value": "DynamicRAT" }, { "description": "EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string \"_packet_\" as a packet delimiter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.epicsplit", "https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat" ], "synonyms": [], "type": [] }, "uuid": "90b304a2-452a-4c74-ae8d-80d9ace881a4", "value": "EpicSplit RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat", "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" ], "synonyms": [], "type": [] }, "uuid": "3724d5d0-860d-4d1e-92a1-0a7089ca2bb3", "value": "FEimea RAT" }, { "description": "According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.icerat", "https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp" ], "synonyms": [], "type": [] }, "uuid": "ac83a481-2ab4-42c2-a8b6-a4aec96e1c4b", "value": "IceRat" }, { "description": "JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM's local application and the goal is to remotely control its operation. The malware's primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash", "https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore", "https://twitter.com/r3c0nst/status/1111254169623674882" ], "synonyms": [], "type": [] }, "uuid": "71286008-9794-4dcc-a571-164195390c39", "value": "JavaDispCash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javalocker", "https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html", "https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html" ], "synonyms": [ "JavaEncrypt Ransomware" ], "type": [] }, "uuid": "4bdddf41-8d5e-468d-905d-8c6667a5d47f", "value": "JavaLocker" }, { "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", "https://www.eff.org/files/2018/01/29/operation-manul.pdf", "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/" ], "synonyms": [ "Jacksbot" ], "type": [] }, "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", "value": "jRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" ], "synonyms": [], "type": [] }, "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", "value": "jSpy" }, { "description": "DDoS for Minecraft servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.mineping", "https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/", "https://github.com/foxkera/mineping" ], "synonyms": [], "type": [] }, "uuid": "f3f38528-a8bf-496a-af46-7eb60a9ec6c3", "value": "Mineping" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner", "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", "http://blog.nsfocus.net/github-ocs-0605/" ], "synonyms": [], "type": [] }, "uuid": "8ae996fe-50bb-479b-925c-e6b1e51a9b40", "value": "Octopus Scanner" }, { "description": "According to TrustWave, this is a loader leveraging JPHP, which was observed fetching Latrodectus and Lumma.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.pronsis_loader", "https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives?hl=en", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/" ], "synonyms": [], "type": [] }, "uuid": "80005653-bfbb-4a37-a8bf-87f8dc9e4047", "value": "Pronsis Loader" }, { "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" ], "synonyms": [], "type": [] }, "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", "value": "Qarallax RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler", "https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf", "https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/", "https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/", "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer", "https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/", "https://www.herbiez.com/?p=1352", "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/" ], "synonyms": [ "Pyrogenic Infostealer" ], "type": [] }, "uuid": "d16a3a1f-e244-4715-a67f-61ba30901efb", "value": "Qealler" }, { "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/", "https://www.digitrustgroup.com/java-rat-qrat/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/" ], "synonyms": [ "Quaverse RAT" ], "type": [] }, "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", "value": "QRat" }, { "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/" ], "synonyms": [], "type": [] }, "uuid": "da032a95-b02a-4af2-b563-69f686653af4", "value": "Ratty" }, { "description": "Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as \"Tapt\", asserts that the tool is able to collect the following information from its target:\r\n- HardwareID\r\n- Username\r\n- Country\r\n- Language\r\n- Webcam\r\n- Headless\r\n- Operating system\r\n- Client Version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus", "https://abnormalsecurity.com/blog/tax-customers-sorillus-rat" ], "synonyms": [], "type": [] }, "uuid": "80694785-aeb6-4e05-a3e8-cb972993d769", "value": "Sorillus RAT" }, { "description": "STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.\r\n\r\nSince Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://forensicitguy.github.io/strrat-attached-to-msi/", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain", "https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/", "https://twitter.com/MsftSecIntel/status/1395138347601854465", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.jaiminton.com/reverse-engineering/strrat", "https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-strrat#page=1", "https://isc.sans.edu/diary/rss/27798", "https://www.gdatasoftware.com/blog/strrat-crimson", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://www.jaiminton.com/reverse-engineering/strrat#", "https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon", "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign" ], "synonyms": [], "type": [] }, "uuid": "6d1335d5-8351-4725-ad8a-07cabca4119e", "value": "STRRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot", "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" ], "synonyms": [ "BlazeBot" ], "type": [] }, "uuid": "651e37e0-1bf8-4024-ac1e-e7bda42470b0", "value": "SupremeBot" }, { "description": "This malware seems to be used for attacks installing cryptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.verblecon", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord" ], "synonyms": [], "type": [] }, "uuid": "793565b4-666b-47a4-b15b-de9c80c75a51", "value": "Verblecon" }, { "description": "According to Lumen, a web shell used by Volt Typhoon.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.versamem", "https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/" ], "synonyms": [], "type": [] }, "uuid": "eb15c0ec-108e-4082-a0c1-ea41345b7db7", "value": "VersaMem" }, { "description": "AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", "http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [ "Orz" ], "type": [] }, "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", "value": "AIRBREAK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "synonyms": [], "type": [] }, "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", "value": "Bateleur" }, { "description": "BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim's web browsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM packages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers have identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely still under development. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail", "https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/", "https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html", "https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers", "https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/", "https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ", "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/", "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west", "https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/", "https://www.group-ib.com/blog/apt-lazarus-python-scripts/", "https://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot" ], "synonyms": [], "type": [] }, "uuid": "da0fb7ce-d730-4ee8-bcc8-3da7eba8ad79", "value": "BeaverTail" }, { "description": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "synonyms": [], "type": [] }, "uuid": "7ebeb691-b979-4a88-94e1-dade780c6a7f", "value": "BELLHOP" }, { "description": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/", "https://www.codercto.com/a/46729.html", "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", "https://www.macnica.net/file/mpression_automobile.pdf", "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "synonyms": [], "type": [] }, "uuid": "efbb5a7c-8c01-4aca-ac21-8dd614b256f7", "value": "CACTUSTORCH" }, { "description": "GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.chromeback", "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/" ], "synonyms": [], "type": [] }, "uuid": "ec055670-4d25-4918-90c7-281fddf3a771", "value": "ChromeBack" }, { "description": "ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.clearfake", "https://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code", "https://rmceoin.github.io/malware-analysis/clearfake/", "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/" ], "synonyms": [], "type": [] }, "uuid": "8899bc6f-62e1-4732-988a-d5d64a5cf9bd", "value": "ClearFake" }, { "description": "WebAssembly-based crpyto miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", "https://twitter.com/JohnLaTwC/status/983011262731714565", "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec" ], "synonyms": [], "type": [] }, "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", "value": "CryptoNight" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" ], "synonyms": [ "Roblox Trade Assist" ], "type": [] }, "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, { "description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA for C&C.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman", "https://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/", "https://www.prevailion.com/darkwatchman-new-fileness-techniques/", "https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/", "https://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/" ], "synonyms": [], "type": [] }, "uuid": "4baf5a22-7eec-4ad8-8780-23a351d9b5f5", "value": "DarkWatchman" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [ "DNSbot" ], "type": [] }, "uuid": "a4b40d48-e40b-47f2-8e30-72342231503e", "value": "DNSRat" }, { "description": "Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.doenerium", "https://twitter.com/0xToxin/status/1572612089901993985", "https://perception-point.io/doenerium-malware/" ], "synonyms": [], "type": [] }, "uuid": "dc446dbc-6f8a-48ee-9e90-10e679a003e1", "value": "doenerium" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.enrume", "https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/" ], "synonyms": [ "Ransom32" ], "type": [] }, "uuid": "d6e5f6b7-cafb-476d-958c-72debdabe013", "value": "Enrume" }, { "description": "According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum", "http://blog.nsfocus.net/agentvxapt-evilnum/", "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", "http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", "value": "EVILNUM (Javascript)" }, { "description": "FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdateru", "https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html" ], "synonyms": [], "type": [] }, "uuid": "9106e280-febe-45a3-9cd1-cbffafc0c85b", "value": "FakeUpdateRU" }, { "description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\r\n\r\nFAKEUPDATES has been heavily used by UNC1543, a financially motivated group.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates", "https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html", "https://experience.mandiant.com/trending-evil/p/1", "https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/", "https://malasada.tech/the-landupdate808-fake-update-variant/", "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/", "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://x.com/GenThreatLabs/status/1840762181668741130", "https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends", "https://www.menlosecurity.com/blog/increase-in-attack-socgholish", "https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/", "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems", "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://twitter.com/MsftSecIntel/status/1522690116979855360", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://www.lac.co.jp/lacwatch/report/20220407_002923.html", "https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/", "https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/", "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee" ], "synonyms": [ "FakeUpdate", "SocGholish" ], "type": [] }, "uuid": "cff35ce3-8d6f-417b-ae6c-a9e6a60ee26c", "value": "FAKEUPDATES" }, { "description": "According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader", "https://malasada.tech/gootloader-isnt-broken/", "https://gootloader.wordpress.com/2024/02/14/my-game-retired-latest-changes-to-gootloader/", "https://www.reliaquest.com/blog/gootloader-infection-credential-access/", "https://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader", "https://x.com/MsftSecIntel/status/1836456406276342215", "https://experience.mandiant.com/trending-evil/p/1", "https://dinohacks.blogspot.com/2022/06/loading-gootloader.html", "https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/", "https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader", "https://github.com/struppigel/hedgehog-tools/tree/main/gootloader", "https://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain", "https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/", "https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/", "https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/", "https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique", "https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://redcanary.com/blog/gootloader", "https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf", "https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gootloader-why-your-legal-document-search-may-end-in-misery/", "https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/", "https://gootloader.wordpress.com/2023/01/05/gootloader-command-control/", "https://gootloader.wordpress.com/2023/01/05/what-is-gootloader/", "https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/", "https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/", "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766", "https://community.riskiq.com/article/f5d5ed38", "https://www.esentire.com/web-native-pages/gootloader-unloaded" ], "synonyms": [ "SLOWPOUR" ], "type": [] }, "uuid": "5b2569e5-aeb2-4708-889f-c6d598bd5e14", "value": "GootLoader" }, { "description": "grelos is a skimmer used for magecart-style attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos", "https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745", "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://community.riskiq.com/article/8c4b4a7a" ], "synonyms": [], "type": [] }, "uuid": "79580c0b-c390-4421-976a-629a5c11af95", "value": "grelos" }, { "description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.mandiant.com/resources/evolution-of-fin7", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://twitter.com/ItsReallyNick/status/1059898708286939136" ], "synonyms": [ "Harpy" ], "type": [] }, "uuid": "85c25380-69d7-4d7e-b279-6b6791fd40bd", "value": "Griffon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.inter", "https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html" ], "synonyms": [], "type": [] }, "uuid": "36b0f1a0-29a4-4ec5-bca2-18a241881d49", "value": "inter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.jeniva", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/" ], "synonyms": [], "type": [] }, "uuid": "b0631a44-3264-429d-b8bc-3a27e27be305", "value": "Jeniva" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.jetriz", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/" ], "synonyms": [], "type": [] }, "uuid": "9e6a0a54-8b55-4e78-a3aa-15d1946882e1", "value": "Jetriz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.jsprat", "https://www.mandiant.com/resources/fin13-cybercriminal-mexico", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "71903afc-7129-4821-90e5-c490e4902de3", "value": "jspRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity", "https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html", "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf" ], "synonyms": [], "type": [] }, "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", "value": "KopiLuwak" }, { "description": "The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr", "https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/", "https://www.riskiq.com/blog/labs/lnkr-browser-extension/", "https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md", "https://github.com/Zenexer/lnkr" ], "synonyms": [], "type": [] }, "uuid": "1a85acf3-4bda-49b4-9e50-1231f0b7340a", "value": "LNKR" }, { "description": "Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from \"input fields\" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", "https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html", "https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218", "https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season", "https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/", "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/", "https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/", "https://community.riskiq.com/article/5bea32aa", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/", "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", "https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter", "https://www.riskiq.com/blog/labs/magecart-nutribullet/", "https://community.riskiq.com/article/30f22a00", "https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/", "https://sansec.io/research/magecart-corona-lockdown", "https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/", "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/", "https://sansec.io/research/magento-2-persistent-parasite", "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://www.goggleheadedhacker.com/blog/post/14", "https://geminiadvisory.io/magecart-google-tag-manager/", "https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/", "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/", "https://twitter.com/AffableKraut/status/1415425132080816133?s=20", "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", "https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/", "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/", "https://community.riskiq.com/article/743ea75b/description", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/", "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/", "https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/", "https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf", "https://community.riskiq.com/article/fda1f967", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/", "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/", "https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/", "https://community.riskiq.com/article/017cf2e6", "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/", "https://twitter.com/MBThreatIntel/status/1416101496022724609", "https://community.riskiq.com/article/2efc2782", "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/", "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://community.riskiq.com/article/14924d61", "https://sansec.io/research/north-korea-magecart", "https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html", "https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/", "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html", "https://twitter.com/AffableKraut/status/1385030485676544001", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", "value": "magecart" }, { "description": "MegaMedusa is NodeJS DDoS Machine Layer-7 provided by RipperSec Team.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.mega_medusa", "https://www.radware.com/blog/security/2024/08/megamedusa-rippersec-public-web-ddos-attack-tool/" ], "synonyms": [], "type": [] }, "uuid": "8a51e636-13be-4bdc-a32f-2d832263ba5b", "value": "megaMedusa" }, { "description": "MiniJS is a very simple JavaScript-based first-stage backdoor. \r\nThe backdoor is probably distributed via spearphishing email. \r\nDue to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.minijs", "https://www.virustotal.com/gui/file/0ce9aadf6a3ffd85d6189590ece148b2f9d69e0ce1c2b8eb61361eb8d0f98571/details" ], "synonyms": [], "type": [] }, "uuid": "5fd2f4f0-0591-45bb-a843-c194d5e294cd", "value": "MiniJS" }, { "description": "According to Orange Cyberdefense, MintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. It has been observed in widespread distribution campaigns between July and October 2024. The name comes from a very characteristic use of an URL parameter “1.php?s=mintsXX\" (with XX being numbers).\r\n\r\nMintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through phishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and PowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains, most of which use a domain generation algorithm (DGA) with .top TLD.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.mints_loader", "https://nikhilh-20.github.io/blog/deob_js_ast/", "https://x.com/CERTCyberdef/status/1849392561024065779", "https://github.com/cert-orangecyberdefense/mintsloader" ], "synonyms": [], "type": [] }, "uuid": "0cd219f4-1f3b-4958-b678-173257abd67e", "value": "MintsLoader" }, { "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", "https://github.com/eset/malware-ioc/tree/master/evilnum", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://www.esentire.com/web-native-pages/unmasking-venom-spider", "https://twitter.com/Arkbird_SOLG/status/1301536930069278727", "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", "https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", "https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://blog.morphisec.com/cobalt-gang-2.0", "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", "https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1", "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", "https://attack.mitre.org/software/S0284/", "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [ "SKID", "SpicyOmelette" ], "type": [] }, "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", "value": "More_eggs" }, { "description": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu", "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf", "https://attack.mitre.org/software/S0228/" ], "synonyms": [], "type": [] }, "uuid": "3e46af39-52e8-442f-aff1-38eeb90336fc", "value": "NanHaiShu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat", "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html", "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "e3b0ed5c-4e6a-4f50-bef2-1f7112aa31ed", "value": "NodeRAT" }, { "description": "According to the author, this is a project that will give understanding of bypassing Multi Factor Authentication (MFA) of an outlook account. It is build in node.js and uses playwright for the automation in the backend.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.offode", "https://github.com/Jhangju/offode" ], "synonyms": [], "type": [] }, "uuid": "0be6d248-382a-48b8-9a52-dba08aaa891e", "value": "OFFODE" }, { "description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap", "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/", "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.intrinsec.com/deobfuscating-hunting-ostap/", "https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/" ], "synonyms": [], "type": [] }, "uuid": "a3b93781-c51c-4ccb-a856-804331470a9d", "value": "ostap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.parasitesnatcher", "https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html" ], "synonyms": [], "type": [] }, "uuid": "9af9557c-04fc-4231-85c4-d1fb30c53cb6", "value": "ParaSiteSnatcher" }, { "description": "This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.parrot_tds", "https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/", "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/" ], "synonyms": [], "type": [] }, "uuid": "dbefad0a-29d3-49d3-b925-116598182dee", "value": "Parrot TDS" }, { "description": "PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.peacenotwar", "https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c", "https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers", "https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/" ], "synonyms": [], "type": [] }, "uuid": "6c304481-024e-4f34-af06-6235edacfdcc", "value": "PeaceNotWar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.pindos", "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "synonyms": [], "type": [] }, "uuid": "6af1eb7a-bc54-43af-9e15-7187a5f250c4", "value": "PindOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" ], "synonyms": [], "type": [] }, "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", "value": "Powmet" }, { "description": "According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice", "https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/", "https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf" ], "synonyms": [], "type": [] }, "uuid": "52d9260f-f090-4e79-b0b3-0c89f5db6bc6", "value": "QNodeService" }, { "description": "QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "475766d2-1e99-4d81-89e4-0d0df4a562d0", "value": "QUICKCAFE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/", "http://resources.infosecinstitute.com/scanbox-framework/", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/" ], "synonyms": [], "type": [] }, "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", "value": "scanbox" }, { "description": "SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "synonyms": [], "type": [] }, "uuid": "d51cb8f8-cca3-46ce-a05d-052df44aef40", "value": "SQLRat" }, { "description": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter", "https://github.com/Cn33liz/StarFighters" ], "synonyms": [], "type": [] }, "uuid": "f6c80748-1cce-4f6b-92e9-f8a04ff3464a", "value": "Starfighter (Javascript)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.swid", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/" ], "synonyms": [], "type": [] }, "uuid": "d4be22cf-497d-46a0-8d57-30d10d9486e3", "value": "Swid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] }, "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", "value": "HTML5 Encoding" }, { "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", "https://twitter.com/JohnLaTwC/status/915590893155098629" ], "synonyms": [], "type": [] }, "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", "value": "Maintools.js" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001", "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f", "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef" ], "synonyms": [], "type": [] }, "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", "value": "Unidentified JS 001 (APT32 Profiler)" }, { "description": "According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003", "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/" ], "synonyms": [], "type": [] }, "uuid": "7bf28be0-3153-474d-8df7-e12fec511d7e", "value": "Unidentified JS 003 (Emotet Downloader)" }, { "description": "A simple loader written in JavaScript found by Marco Ramilli.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004", "https://marcoramilli.com/2020/11/27/threat-actor-unkown/" ], "synonyms": [], "type": [] }, "uuid": "a15e7c49-4eb6-46f0-8f79-0b765d7d4e46", "value": "Unidentified JS 004" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_005", "https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html" ], "synonyms": [], "type": [] }, "uuid": "a797e9b9-cb3f-484a-9273-ac73e9ea1e06", "value": "Unidentified JS 005 (Stealer)" }, { "description": "A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_006", "https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf", "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/" ], "synonyms": [], "type": [] }, "uuid": "547fed09-38d0-4813-b9b0-870a1d4136df", "value": "Unidentified JS 006 (Winter Wyvern)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002" ], "synonyms": [], "type": [] }, "uuid": "7144063f-966b-4277-b316-00eb970ccd52", "value": "Unidentified JS 002" }, { "description": "According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).\r\n\r\nResearch shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.valak", "https://security-soup.net/analysis-of-valak-maldoc/", "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/", "https://unit42.paloaltonetworks.com/valak-evolution/", "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://unit42.paloaltonetworks.com/atoms/monsterlibra/", "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7", "https://twitter.com/malware_traffic/status/1207824548021886977", "https://www.cybereason.com/blog/valak-more-than-meets-the-eye" ], "synonyms": [ "Valek" ], "type": [] }, "uuid": "b37b4d91-0ac7-48f5-8fd1-5237b9615cf7", "value": "Valak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" ], "synonyms": [], "type": [] }, "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", "value": "witchcoven" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell", "https://blog.gigamon.com/2022/09/28/investigating-web-shells/", "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat", "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/", "https://asec.ahnlab.com/en/47455/", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" ], "synonyms": [], "type": [] }, "uuid": "07e88ccf-6027-412b-99bf-0fa1d3cfb174", "value": "Godzilla Webshell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.3cx_backdoor", "https://objective-see.org/blog/blog_0x74.html", "https://objective-see.org/blog/blog_0x73.html" ], "synonyms": [], "type": [] }, "uuid": "d5e10bf9-9de8-46be-96d0-aa502b14ffe8", "value": "3CX Backdoor (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos", "https://securelist.com/crimeware-report-fakesg-akira-amos/111483/", "https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version", "https://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/", "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising", "https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/", "https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/", "https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/", "https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219" ], "synonyms": [ "Atomic macOS Stealer" ], "type": [] }, "uuid": "2fa2be52-e44f-4998-bde7-c66cfb6f4521", "value": "AMOS" }, { "description": "According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment", "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", "https://objective-see.com/blog/blog_0x5F.html", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", "https://www.youtube.com/watch?v=rjA0Vf75cYk", "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", "https://securelist.com/operation-applejeus/87553/", "https://objective-see.com/blog/blog_0x54.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://www.youtube.com/watch?v=1NkzTKkEM2k", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://securelist.com/operation-applejeus-sequel/95596/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", "https://objective-see.com/blog/blog_0x49.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "ca466f15-8e0a-4030-82cb-5382e3c56ee5", "value": "AppleJeus (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.banshee", "https://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post&blade=twitter&hulk=social&utm_content=14389248623&linkId=549532028" ], "synonyms": [], "type": [] }, "uuid": "5d7b9bcf-a0b6-47eb-8350-a80fac356567", "value": "BANSHEE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", "https://github.com/kai5263499/Bella", "https://threatintel.blog/OPBlueRaven-Part2/", "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", "value": "Bella" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore", "https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20", "https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c", "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/", "https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "SurfBuyer" ], "type": [] }, "uuid": "5f5f5496-d9f8-4984-aa66-8702741646fe", "value": "Bundlore" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [ "Appetite", "Mask" ], "type": [] }, "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", "value": "Careto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.casso", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" ], "synonyms": [], "type": [] }, "uuid": "387e1a19-458d-4961-a8e4-3f82463085e5", "value": "Casso" }, { "description": "Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds", "https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/", "https://objective-see.com/blog/blog_0x69.html", "https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/", "https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/" ], "synonyms": [ "Macma" ], "type": [] }, "uuid": "5e4bdac7-b6c8-4c59-996f-babfc3bb3a3c", "value": "CDDS" }, { "description": "A loader delivering malicious Chrome and Safari extensions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.choziosi", "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension", "https://www.th3protocol.com/2022/Choziosi-Loader", "https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/", "https://redcanary.com/blog/chromeloader/", "https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER" ], "synonyms": [ "ChromeLoader", "Chropex" ], "type": [] }, "uuid": "57f75f24-b77b-46b3-a06a-57d49374fb82", "value": "Choziosi (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cloud_mensis", "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/", "https://twitter.com/ESETresearch/status/1575103839115804672" ], "synonyms": [], "type": [] }, "uuid": "557fc183-f51a-4740-b2dd-5e81e6f6690a", "value": "CloudMensis" }, { "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn’t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim’s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim’s hard drive to a remote server\r\n- update itself to a newer version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", "https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [], "type": [] }, "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", "value": "CoinThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", "https://objective-see.com/blog/blog_0x2A.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf" ], "synonyms": [], "type": [] }, "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", "value": "Coldroot RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster", "https://securelist.com/convuster-macos-adware-in-rust/101258/" ], "synonyms": [], "type": [] }, "uuid": "3819ded3-27ac-4e2f-9cd6-c6ef1642599b", "value": "Convuster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" ], "synonyms": [], "type": [] }, "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", "value": "CpuMeaner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", "https://digitasecurity.com/blog/2018/02/05/creativeupdater/", "https://objective-see.com/blog/blog_0x29.html" ], "synonyms": [], "type": [] }, "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", "value": "CreativeUpdater" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html" ], "synonyms": [], "type": [] }, "uuid": "2bb6c494-8057-4d83-9202-fda3284deee4", "value": "Crisis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" ], "synonyms": [], "type": [] }, "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", "value": "Crossrider" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cthulhu_stealer", "https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos" ], "synonyms": [], "type": [] }, "uuid": "549f4c7c-55e3-478e-a84e-e27c5e195c97", "value": "Cthulhu Stealer" }, { "description": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", "https://objective-see.com/blog/blog_0x57.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://objective-see.com/blog/blog_0x5F.html", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.sygnia.co/mata-framework", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/" ], "synonyms": [], "type": [] }, "uuid": "81def650-f52e-49a3-a3fe-cb53ffa75d67", "value": "Dacls (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer", "https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/" ], "synonyms": [], "type": [] }, "uuid": "a8e71805-014d-4998-b21e-3125da800124", "value": "DarthMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dazzle_spy", "https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/", "https://objective-see.com/blog/blog_0x6D.html" ], "synonyms": [], "type": [] }, "uuid": "ba2c7d3c-7f7a-42f7-854c-a6cc0b5eb850", "value": "DazzleSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", "https://www.f-secure.com/weblog/archives/00002466.html" ], "synonyms": [], "type": [] }, "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", "value": "Dockster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", "https://objective-see.com/blog/blog_0x32.html" ], "synonyms": [], "type": [] }, "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", "value": "Dummy" }, { "description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim’s webcam\r\n- Sending emails with an attachment", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", "https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/" ], "synonyms": [], "type": [] }, "uuid": "c221e519-fe3e-416e-bc63-a2246b860958", "value": "Eleanor" }, { "description": "According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://objective-see.com/blog/blog_0x61.html" ], "synonyms": [], "type": [] }, "uuid": "f8ccf928-7d4f-4999-91a5-9222f148152d", "value": "ElectroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", "https://github.com/Marten4n6/EvilOSX", "https://twitter.com/JohnLaTwC/status/966139336436498432" ], "synonyms": [], "type": [] }, "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", "value": "EvilOSX" }, { "description": "According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.\r\n\r\nIt drops the \"READ_ME_NOW.txt\" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest", "https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/", "https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/", "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://objective-see.com/blog/blog_0x5F.html", "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://twitter.com/dineshdina04/status/1277668001538433025", "https://objective-see.com/blog/blog_0x59.html", "https://github.com/gdbinit/evilquest_deobfuscator", "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/" ], "synonyms": [ "ThiefQuest" ], "type": [] }, "uuid": "d5b39223-a8cc-4d47-8030-1d7d6312d351", "value": "EvilQuest" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale", "https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/" ], "synonyms": [], "type": [] }, "uuid": "5dfd704c-a69d-4e93-bd70-68f89fbbb32c", "value": "FailyTale" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher", "https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/", "https://objective-see.com/blog/blog_0x4F.html", "https://objective-see.com/blog/blog_0x5F.html", "https://securelist.com/finspy-unseen-findings/104322/", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] }, "uuid": "89ce536c-03b9-4f69-83ce-723f26b36494", "value": "FinFisher (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", "https://news.drweb.com/show/?c=5&i=2386&lng=en", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", "https://en.wikipedia.org/wiki/Flashback_(Trojan)", "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html", "https://web-assets.esetstatic.com/wls/200x/white-papers/osx_flashback.pdf", "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [ "FakeFlash" ], "type": [] }, "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", "value": "FlashBack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", "https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf", "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/" ], "synonyms": [ "Quimitchin" ], "type": [] }, "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, { "description": "Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fullhouse", "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "synonyms": [], "type": [] }, "uuid": "2ab781d8-214d-41e2-acc9-23ded4f77663", "value": "FULLHOUSE" }, { "description": "This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick", "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/", "https://cybersecuritynews.com/gimmick-malware-attacks/" ], "synonyms": [], "type": [] }, "uuid": "0e259d0f-717a-4ced-ac58-6fe9d72e2c96", "value": "GIMMICK (OS X)" }, { "description": "According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.\r\n\r\nResearch shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera", "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/", "https://objective-see.com/blog/blog_0x53.html" ], "synonyms": [ "Kassi", "StockSteal" ], "type": [] }, "uuid": "1c65cf4e-5df4-4d56-a414-7b05f00814ba", "value": "Gmera" }, { "description": "According to Malwarebytes, The HiddenLotus \"dropper\" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" ], "synonyms": [], "type": [] }, "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", "value": "HiddenLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hloader", "https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn" ], "synonyms": [], "type": [] }, "uuid": "28304d68-689e-4488-80cb-d5b7b50a8d57", "value": "HLOADER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hz_rat", "https://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/" ], "synonyms": [], "type": [] }, "uuid": "37f37678-c8c3-44d7-82bd-ecb452fba012", "value": "HZ RAT (OS X)" }, { "description": "The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:\r\n\r\n- capture screenshots\r\n- exfiltrate files to a remote computer\r\n- send various information about the infected computer\r\n- extract ZIP archive\r\n- download files from a remote computer and/or the Internet\r\n- run executable files", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/", "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", "https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/" ], "synonyms": [ "Revir" ], "type": [] }, "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", "value": "iMuler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.interception", "https://twitter.com/ESETresearch/status/1559553324998955010", "https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/", "https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto" ], "synonyms": [], "type": [] }, "uuid": "d4f7ea92-04e7-405c-9faf-7993ffd5c473", "value": "Interception (OS X)" }, { "description": "According to Patrick Wardle, this malware persists a python script as a cron job. \r\nSteps: \r\n1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. \r\n2. Appends its new job to this file.\r\n3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab", "https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/", "https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/", "https://www.macmark.de/blog/osx_blog_2013-08-a.php", "https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/", "https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/", "https://www.malwarology.com/posts/5-janicab-part_1/", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html", "https://archive.f-secure.com/weblog/archives/00002576.html", "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/", "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "01325d85-297f-40d5-b829-df9bd996af5a", "value": "Janicab (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.jokerspy", "https://www.elastic.co/security-labs/inital-research-of-jokerspy" ], "synonyms": [], "type": [] }, "uuid": "171b0695-8cea-4ca6-a3f0-c9a8455ef9de", "value": "JokerSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kandykorn", "https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn" ], "synonyms": [], "type": [] }, "uuid": "d314856b-1c07-4f4a-ab3e-eeae38536857", "value": "KANDYKORN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", "https://objective-see.com/blog/blog_0x16.html", "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html" ], "synonyms": [], "type": [] }, "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", "value": "KeRanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", "https://github.com/eset/malware-ioc/tree/master/keydnap", "https://objective-see.com/blog/blog_0x16.html", "https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" ], "synonyms": [], "type": [] }, "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", "value": "Keydnap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", "https://www.f-secure.com/weblog/archives/00002558.html" ], "synonyms": [ "KitM" ], "type": [] }, "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", "value": "Kitmos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", "https://objective-see.com/blog/blog_0x16.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" ], "synonyms": [ "JHUHUGIT", "JKEYSKW", "SedUploader" ], "type": [] }, "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "value": "Komplex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kuiper", "https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "c39087ca-05b7-4374-aff1-116a73f2ba74", "value": "Kuiper (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lador", "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/" ], "synonyms": [], "type": [] }, "uuid": "9c6b54ce-44a0-4d0c-89cb-6532c8f89d8d", "value": "Lador" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lambert", "https://objective-see.com/blog/blog_0x68.html" ], "synonyms": [ "GreenLambert" ], "type": [] }, "uuid": "7433f3a8-f53c-4ba0-beff-e312fae9ad39", "value": "Lambert (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", "https://objective-see.com/blog/blog_0x16.html", "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" ], "synonyms": [], "type": [] }, "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", "value": "Laoshu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/", "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis" ], "synonyms": [], "type": [] }, "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", "value": "Leverage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lockbit", "https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/", "https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group", "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79", "https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation", "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://twitter.com/malwrhunterteam/status/1647384505550876675", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "0821b5c8-db48-4d0e-a969-384dbd74a6c9", "value": "LockBit (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "synonyms": [], "type": [] }, "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", "value": "MacDownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", "value": "MacInstaller" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", "https://objective-see.com/blog/blog_0x1E.html", "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", "value": "MacRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", "value": "MacSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", "value": "MacVX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", "https://objective-see.com/blog/blog_0x26.html" ], "synonyms": [], "type": [] }, "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", "value": "MaMi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt", "https://twitter.com/BitsOfBinary/status/1337330286787518464", "https://www.anquanke.com/post/id/223817", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://twitter.com/BitsOfBinary/status/1321488299932983296" ], "synonyms": [], "type": [] }, "uuid": "f85c3ec9-81f0-4dee-87e6-b3f6b235bfe7", "value": "Manuscrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", "https://objective-see.com/blog/blog_0x16.html", "https://objective-see.com/blog/blog_0x53.html", "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/" ], "synonyms": [], "type": [] }, "uuid": "bfbb6e5a-32dc-4842-936c-5d8497570c74", "value": "Mokes (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", "https://objective-see.com/blog/blog_0x20.html" ], "synonyms": [], "type": [] }, "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", "value": "Mughthesec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.netwire", "https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/" ], "synonyms": [], "type": [] }, "uuid": "f0d52afd-e7c9-4bd1-be8a-9ab09b14ea24", "value": "NetWire" }, { "description": "According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.\r\n\r\nThe OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", "https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468", "https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/" ], "synonyms": [], "type": [] }, "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", "value": "OceanLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", "https://news.drweb.com/show/?i=1750&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", "value": "Olyx" }, { "description": "SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat", "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/" ], "synonyms": [], "type": [] }, "uuid": "699dac0f-092c-4c8e-85e9-6e3c86129190", "value": "oRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer", "https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" ], "synonyms": [], "type": [] }, "uuid": "89d0c423-c4ff-46e8-8c79-ea5e974e53e7", "value": "OSAMiner" }, { "description": "This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.\r\n\r\nThe downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.\r\n\r\nThe file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.\r\n\r\nDespite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" ], "synonyms": [ "FileCoder", "Findzip" ], "type": [] }, "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", "value": "Patcher" }, { "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", "https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/" ], "synonyms": [], "type": [] }, "uuid": "de13bec0-f443-4c5a-91fe-2223dad43be5", "value": "PintSized" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", "https://forensicitguy.github.io/analyzing-pirrit-adware-installer/", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] }, "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", "value": "Pirrit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.poolrat", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment", "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://www.3cx.com/blog/news/mandiant-security-update2/" ], "synonyms": [ "SIMPLESEA", "SIMPLETEA" ], "type": [] }, "uuid": "bfd9e30e-ddc7-426f-8f77-4d2e1a846541", "value": "POOLRAT" }, { "description": "Part of Mythic C2, written in Golang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.poseidon", "https://github.com/MythicAgents/poseidon" ], "synonyms": [], "type": [] }, "uuid": "e4ac9105-c3ad-41e2-846b-048e2bbedc6a", "value": "Poseidon (OS X)" }, { "description": "macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.poseidonstealer", "https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads", "https://github.com/govcert-ch/CTI/tree/main/20240627_macOS_PoseidonStealer", "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/poseidon_bericht.html" ], "synonyms": [ "Rodrigo Stealer" ], "type": [] }, "uuid": "9eb9f899-acfb-4452-981f-5937aa1f47cc", "value": "Poseidon Stealer" }, { "description": "Proton RAT is a Remote Access Trojan (RAT) specifically designed for macOS systems. It is known for providing attackers with complete remote control over the infected system, allowing the execution of commands, keystroke capturing, access to the camera and microphone, and the ability to steal credentials stored in browsers and other password managers. This malware typically spreads through malicious or modified applications, which, when downloaded and installed by unsuspecting users, trigger its payload. Proton RAT is notorious for its sophistication and evasion capabilities, including techniques to bypass detection by installed security solutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://objective-see.com/blog/blog_0x1D.html", "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf", "https://securelist.com/calisto-trojan-for-macos/86543/", "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", "https://objective-see.com/blog/blog_0x1F.html" ], "synonyms": [ "Calisto" ], "type": [] }, "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", "value": "Proton RAT" }, { "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" ], "synonyms": [], "type": [] }, "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", "value": "Pwnet" }, { "description": "Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/" ], "synonyms": [ "Retefe" ], "type": [] }, "uuid": "80acc956-d418-42e3-bddf-078695a01289", "value": "Dok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket", "https://sansorg.egnyte.com/dl/3P3HxFiNgL", "https://securelist.com/bluenoroff-new-macos-malware/111290/", "https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/", "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", "https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket", "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/" ], "synonyms": [], "type": [] }, "uuid": "03f356e6-296f-4195-bed0-9719a84887db", "value": "RustBucket (OS X)" }, { "description": "According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.\r\n\r\nIn most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://securelist.com/shlayer-for-macos/95724/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://objective-see.com/blog/blog_0x64.html", "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/", "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/", "https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508", "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "c3ee82df-a004-4c68-89bd-eb4bb2dfc803", "value": "Shlayer" }, { "description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis" ], "synonyms": [], "type": [] }, "uuid": "f6a7aeeb-fcc5-4d26-9eab-c0b6e2819a6c", "value": "Silver Sparrow" }, { "description": "SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).\r\n\r\nIt also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.\r\n\r\nSimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.simpletea", "https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf" ], "synonyms": [], "type": [] }, "uuid": "ce384804-8580-4d57-97b3-bde0d903f703", "value": "SimpleTea (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.spectral_blur", "https://twitter.com/greglesnewich/status/1742575613834084684" ], "synonyms": [], "type": [] }, "uuid": "c7c32006-a2d1-4bc2-8a25-84c07286464a", "value": "SpectralBlur (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.sugarloader", "https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn" ], "synonyms": [], "type": [] }, "uuid": "171501fd-d504-4257-9c3d-fbc066d6eeba", "value": "SUGARLOADER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.sysjoker", "https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/", "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html", "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/" ], "synonyms": [], "type": [] }, "uuid": "5bffe0fe-22f6-4d18-9372-f8c5d262d852", "value": "SysJoker (OS X)" }, { "description": "General purpose backdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", "https://securelist.com/windealer-dealing-on-the-side/105946/" ], "synonyms": [ "Demsty", "ReverseWindow" ], "type": [] }, "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", "value": "systemd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami", "https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks" ], "synonyms": [], "type": [] }, "uuid": "59d4a2f3-c66e-4576-80ab-e04a4b0a4317", "value": "Tsunami (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment", "https://securelist.com/operation-applejeus-sequel/95596/", "https://objective-see.com/blog/blog_0x51.html" ], "synonyms": [], "type": [] }, "uuid": "1c96f6b9-6b78-4137-9d5f-aa5575f80daa", "value": "Unidentified macOS 001 (UnionCryptoTrader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.update_agent", "https://twitter.com/sysopfb/status/1532442456343691273", "https://www.jamf.com/blog/updateagent-adapts-again/", "https://www.esentire.com/blog/updateagent-macos-malware", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/" ], "synonyms": [], "type": [] }, "uuid": "1f1bc885-5987-41fa-bb04-8775eeb45d88", "value": "UpdateAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/", "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/" ], "synonyms": [], "type": [] }, "uuid": "13173d75-45f0-4183-8e18-554a5781405c", "value": "Uroburos (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram", "https://twitter.com/MsftSecIntel/status/1451279679059488773", "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/", "https://twitter.com/ConfiantIntel/status/1351559054565535745" ], "synonyms": [ "WizardUpdate" ], "type": [] }, "uuid": "021e2fb4-1744-4fde-8d59-b247f1b34062", "value": "Vigram" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat", "https://objective-see.com/blog/blog_0x5F.html", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" ], "synonyms": [], "type": [] }, "uuid": "a73468d5-2dee-4828-8bbb-c37ea9295584", "value": "WatchCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail", "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf", "https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/", "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", "https://objective-see.com/blog/blog_0x3B.html", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", "https://objective-see.com/blog/blog_0x3D.html" ], "synonyms": [], "type": [] }, "uuid": "48751182-0b17-4326-8a72-41e4c4be35e7", "value": "WindTail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", "https://401trg.pw/winnti-evolution-going-open-source/" ], "synonyms": [], "type": [] }, "uuid": "5aede44b-1a30-4062-bb97-ac9f4985ddb6", "value": "Winnti (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", "https://objective-see.com/blog/blog_0x16.html", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", "value": "WireLurker (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", "https://news.drweb.com/show/?i=2679&lng=en&c=14", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://objective-see.com/blog/blog_0x43.html" ], "synonyms": [], "type": [] }, "uuid": "f99ef0dc-9e96-42e0-bbfe-3616b3786629", "value": "Wirenet (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://twitter.com/PhysicalDrive0/status/845009226388918273" ], "synonyms": [], "type": [] }, "uuid": "858f4396-8bc9-4df8-9370-490bbb3b4535", "value": "X-Agent (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", "https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/", "https://objective-see.com/blog/blog_0x5F.html", "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html", "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/", "https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html" ], "synonyms": [], "type": [] }, "uuid": "041aee7f-cb7a-4199-9fe5-494801a18273", "value": "XCSSET" }, { "description": "Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.\r\n\r\nFormbook has a \"magic\"-value FBNG (FormBook-NG), while Xloader has a \"magic\"-value XLNG (XLoader-NG). This \"magic\"-value XLNG is platform-independent.\r\n\r\n\r\nNot to be confused with apk.xloader or ios.xloader.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader", "https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/", "https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/", "https://medium.com/@shaddy43/layers-of-deception-analyzing-the-complex-stages-of-xloader-4-3-malware-evolution-2dcb550b98d9", "https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/", "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", "https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/", "https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/", "https://twitter.com/krabsonsecurity/status/1319463908952969216", "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/" ], "synonyms": [ "Formbook" ], "type": [] }, "uuid": "d5f2f6ad-2ed0-42d4-9116-f95eea2ab543", "value": "Xloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", "value": "XSLCmd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort", "https://objective-see.com/blog/blog_0x53.html", "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/" ], "synonyms": [], "type": [] }, "uuid": "725cd3eb-1025-4da3-bcb1-a7b6591c632b", "value": "Yort" }, { "description": "A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.zuru", "https://objective-see.com/blog/blog_0x66.html", "https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html" ], "synonyms": [], "type": [] }, "uuid": "bd293592-d2dd-4fdd-88e7-6098e0bbb043", "value": "ZuRu" }, { "description": "Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell", "https://github.com/tennc/webshell/tree/master/php/Ani-Shell", "http://ani-shell.sourceforge.net/" ], "synonyms": [ "anishell" ], "type": [] }, "uuid": "7ef3c0fd-8736-47b1-8ced-ca7bf6d27471", "value": "Ani-Shell" }, { "description": "Antak is a webshell written in ASP.Net which utilizes PowerShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.antak", "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" ], "synonyms": [], "type": [] }, "uuid": "88a71ca8-d99f-416a-ad29-5af12212008c", "value": "ANTAK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.aspxspy", "https://attack.mitre.org/groups/G0096", "https://asec.ahnlab.com/en/47455/", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells" ], "synonyms": [], "type": [] }, "uuid": "4d1c01be-76ad-42dd-b094-7a8dbaf02159", "value": "ASPXSpy" }, { "description": "A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.behinder", "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat", "https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md", "https://blog.gigamon.com/2022/09/28/investigating-web-shells/", "https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/" ], "synonyms": [], "type": [] }, "uuid": "5e5cd3a6-0348-4c6b-94b1-13ca0d845547", "value": "Behinder" }, { "description": "C99shell is a PHP backdoor that provides a lot of functionality, for example:\r\n\r\n\r\n* run shell commands;\r\n* download/upload files from and to the server (FTP functionality);\r\n* full access to all files on the hard disk;\r\n* self-delete functionality.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.c99", "https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html" ], "synonyms": [ "c99" ], "type": [] }, "uuid": "cd1b8ec2-dbbd-4e73-b9a7-1bd1287a68f2", "value": "c99shell" }, { "description": "FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode", "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf", "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a" ], "synonyms": [], "type": [] }, "uuid": "a782aac8-168d-4691-a182-237d7d473e21", "value": "DEWMODE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology", "https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/" ], "synonyms": [ "Ensiko" ], "type": [] }, "uuid": "dfd8deac-ce86-4a22-b462-041c19d62506", "value": "Ensikology" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.p0wnyshell", "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ "Ponyshell", "Pownyshell" ], "type": [] }, "uuid": "a6d13ffe-1b1a-46fe-afd9-989e8dec3773", "value": "p0wnyshell" }, { "description": "In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.parrot_tds_shell", "https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/", "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/" ], "synonyms": [], "type": [] }, "uuid": "c9e7c5a6-9082-47ec-89eb-477980e73dcb", "value": "Parrot TDS WebShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html", "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" ], "synonyms": [], "type": [] }, "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", "value": "PAS" }, { "description": "Backdoor written in php", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.prometheus_backdoor", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://blog.group-ib.com/prometheus-tds" ], "synonyms": [], "type": [] }, "uuid": "b4007b02-106d-420f-af1c-76c035843fd2", "value": "Prometheus Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker", "https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp" ], "synonyms": [], "type": [] }, "uuid": "e94a5b44-f2c2-41dc-8abb-6de69eb38241", "value": "RedHat Hacker WebShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", "https://securelist.com/energetic-bear-crouching-yeti/85345/", "https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/", "https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903" ], "synonyms": [ "Webshell by Orb" ], "type": [] }, "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", "value": "WSO" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", "value": "Silence DDoS" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.blacksun", "https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html" ], "synonyms": [], "type": [] }, "uuid": "1fcc4425-6e14-47e6-8434-745cf1bc9982", "value": "BlackSun" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://ironnet.com/blog/chirp-of-the-poisonfrog/", "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933", "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.netscout.com/blog/asert/tunneling-under-sands", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://marcoramilli.com/2019/05/02/apt34-glimpse-project/" ], "synonyms": [ "Glimpse", "Poison Frog" ], "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", "value": "BONDUPDATER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200", "https://unit42.paloaltonetworks.com/atoms/hunter-serpens/", "https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/" ], "synonyms": [], "type": [] }, "uuid": "7373c789-2dc2-4867-9c60-fa68f8d971a2", "value": "CASHY200" }, { "description": "A loader written in Powershell, usually delivered packaged in MSI/MSIX files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.eugenloader", "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs", "https://intel471.com/blog/malvertising-surges-to-distribute-malware", "https://esentire-dot-com-assets.s3.amazonaws.com/assets/resourcefiles/eSentire-Unraveling_BatLoader_and_FakeBat.pdf", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/" ], "synonyms": [ "FakeBat", "NUMOZYLOD", "PaykLoader" ], "type": [] }, "uuid": "cf9c14cf-6246-4858-8bcc-5a943c8df715", "value": "EugenLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://vblocalhost.com/uploads/VB2020-46.pdf", "https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf" ], "synonyms": [ "BoBoStealer" ], "type": [] }, "uuid": "6f0f034a-13f1-432d-bc70-f78d7f27f46f", "value": "FlowerPower" }, { "description": "Loader used to deliver FRat (see family windows.frat)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md" ], "synonyms": [], "type": [] }, "uuid": "385a3dca-263d-46be-b84d-5dc09ee466d9", "value": "FRat Loader" }, { "description": "The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode", "https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/", "https://www.certego.net/en/news/malware-tales-ftcode/", "https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm", "https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", "https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities" ], "synonyms": [], "type": [] }, "uuid": "f727a05e-c1cd-4e95-b0bf-2a4bb64aa850", "value": "FTCODE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", "https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" ], "synonyms": [], "type": [] }, "uuid": "0db05333-2214-49c3-b469-927788932aaa", "value": "GhostMiner" }, { "description": "The author describes this open source shell as follows. \r\nHTTP-Shell is Multiplatform Reverse Shell. This tool helps you to obtain a shell-like interface on a reverse connection over HTTP. Unlike other reverse shells, the main goal of the tool is to use it in conjunction with Microsoft Dev Tunnels, in order to get a connection as close as possible to a legitimate one.\r\n\r\nThis shell is not fully interactive, but displays any errors on screen (both Windows and Linux), is capable of uploading and downloading files, has command history, terminal cleanup (even with CTRL+L), automatic reconnection, movement between directories and supports sudo (or sudo su) on Linux-based OS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.http_shell", "https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition", "https://github.com/JoelGMSec/HTTP-Shell" ], "synonyms": [], "type": [] }, "uuid": "50b94b67-dc2a-4953-a354-edf2cc4e17d3", "value": "HTTP-Shell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader", "https://blog.threatstop.com/upgraded-jasperloader-infecting-machines", "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", "https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html" ], "synonyms": [], "type": [] }, "uuid": "286a14a1-7113-4bed-97ce-8db41b312a51", "value": "JasperLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lazyscripter", "https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter" ], "synonyms": [], "type": [] }, "uuid": "74e5711e-b777-4f09-a4bc-db58d5e23e29", "value": "Lazyscripter" }, { "description": "According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot", "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", "https://twitter.com/VK_Intel/status/1329511151202349057" ], "synonyms": [], "type": [] }, "uuid": "319c4b4f-2901-412c-8fa5-70be75ba51cb", "value": "LightBot" }, { "description": "The author describes Octopus as an \"open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S.\"\r\n\r\nIt is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus", "https://isc.sans.edu/diary/rss/28628", "https://isc.sans.edu/diary/26918", "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://github.com/mhaskar/Octopus" ], "synonyms": [], "type": [] }, "uuid": "c3ca7a89-a885-444a-8642-31019b34b027", "value": "Octopus (Powershell)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig", "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html", "https://threatpost.com/oilrig-apt-unique-backdoor/157646/", "https://twitter.com/MJDutch/status/1074820959784321026?s=19" ], "synonyms": [], "type": [] }, "uuid": "4a3b9669-8f91-47df-a8bf-a9876ab8edf3", "value": "OilRig" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.phonyc2", "https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater", "https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel", "https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns", "https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps" ], "synonyms": [], "type": [] }, "uuid": "c630e510-a0ad-405a-9aeb-9d8057b6a868", "value": "PhonyC2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "https://github.com/matthewdunwoody/POSHSPY" ], "synonyms": [], "type": [] }, "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerbrace", "https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/", "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor" ], "synonyms": [], "type": [] }, "uuid": "7b334343-0045-4d65-b28a-ebf912c7aafc", "value": "PowerBrace" }, { "description": "PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerharbor", "https://insight-jp.nttsecurity.com/post/102ignh/steelcloverpowerharbor" ], "synonyms": [], "type": [] }, "uuid": "73b40a4c-9163-4a07-bf1b-e4a4344ac63a", "value": "PowerHarbor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper", "https://twitter.com/InQuest/status/1285295975347650562", "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/" ], "synonyms": [], "type": [] }, "uuid": "6544c75b-809f-4d31-a235-8906d4004828", "value": "PowerPepper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "synonyms": [], "type": [] }, "uuid": "60d7f668-66b6-401b-976f-918470a23c3d", "value": "POWERPIPE" }, { "description": "This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a \"vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerplant", "https://www.mandiant.com/resources/evolution-of-fin7" ], "synonyms": [], "type": [] }, "uuid": "697626d3-04a1-4426-aeae-d7054c6e78fb", "value": "POWERPLANT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor", "https://github.com/chrisjd20/powershell_web_backdoor" ], "synonyms": [], "type": [] }, "uuid": "4310dcab-0820-4bc1-8a0b-9691c20f5b49", "value": "powershell_web_backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershortshell", "https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/" ], "synonyms": [], "type": [] }, "uuid": "f2198153-2d8b-49ed-b8a8-0952c289b8c0", "value": "PowerShortShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower", "https://unit42.paloaltonetworks.com/atoms/clean-ursa", "https://securelist.com/recent-cloud-atlas-activity/92016/", "https://unit42.paloaltonetworks.com/atoms/clean-ursa/", "https://attack.mitre.org/groups/G0100/", "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability", "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/", "https://securelist.com/recent-cloud-atlas-activity/92016", "https://attack.mitre.org/groups/G0100" ], "synonyms": [], "type": [] }, "uuid": "0959a02e-6eba-43dc-bbbf-b2c7488e9371", "value": "PowerShower" }, { "description": "POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "synonyms": [], "type": [] }, "uuid": "a4584181-f739-43d1-ade9-8a7aa21278a0", "value": "POWERSOURCE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "c07f6484-0669-44b7-90e6-f642e316d277", "value": "PowerSpritz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstar", "https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/" ], "synonyms": [], "type": [] }, "uuid": "60e11a7b-8452-4177-b709-99ef0976c296", "value": "POWERSTAR" }, { "description": "POWERSTATS is a backdoor written in powershell.\r\nIt has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", "https://blog.prevailion.com/2020/01/summer-mirage.html", "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", "https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html", "https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html", "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf", "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", "https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/", "https://research.checkpoint.com/2019/the-muddy-waters-of-apt-attacks/", "https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html", "https://www.group-ib.com/blog/muddywater/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/", "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater", "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/", "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/", "https://mp.weixin.qq.com/s/NN_iRvwA6yOHFS9Z3A0RBA", "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", "https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html" ], "synonyms": [ "Valyria" ], "type": [] }, "uuid": "b81d91b5-23a4-4f86-aea9-3f212169fce9", "value": "POWERSTATS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton", "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", "https://norfolkinfosec.com/apt33-powershell-malware/", "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", "https://www.symantec.com/security-center/writeup/2019-062513-4935-99" ], "synonyms": [], "type": [] }, "uuid": "08d5b8a4-e752-48f3-ac6d-944807146ce7", "value": "POWERTON" }, { "description": "This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: \"POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powertrash", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs", "https://www.mandiant.com/resources/blog/evolution-of-fin7", "https://www.mandiant.com/resources/evolution-of-fin7" ], "synonyms": [], "type": [] }, "uuid": "ff20d720-285e-4168-ac8c-86a7f9ac18d4", "value": "POWERTRASH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" ], "synonyms": [], "type": [] }, "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", "value": "PowerWare" }, { "description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure", "https://github.com/hausec/PowerZure" ], "synonyms": [], "type": [] }, "uuid": "f5fa77e9-9851-48a6-864d-e0448de062d4", "value": "PowerZure" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_magic", "https://securelist.com/bad-magic-apt/109087/", "https://securelist.com/cloudwizard-apt/109722/", "https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger", "https://securelist.com/bad-magic-apt/109087/?s=31" ], "synonyms": [], "type": [] }, "uuid": "7ee51054-1d3b-45ec-a7fd-1e212c891b99", "value": "PowerMagic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_rat", "https://blog.talosintelligence.com/gophish-powerrat-dcrat/" ], "synonyms": [], "type": [] }, "uuid": "970bdeaf-bc34-458a-ae67-8c3578e8663d", "value": "PowerRAT" }, { "description": "DLL loader that decrypts and runs a powershell-based downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", "https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant", "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://unit42.paloaltonetworks.com/thanos-ransomware/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" ], "synonyms": [], "type": [] }, "uuid": "d8429f6d-dc4b-4aae-930d-234156dbf354", "value": "PowGoop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "synonyms": [], "type": [] }, "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "value": "POWRUNER" }, { "description": "The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox", "https://twitter.com/kafeine/status/1092000556598677504" ], "synonyms": [], "type": [] }, "uuid": "c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8", "value": "PresFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", "https://youtu.be/pBDu8EGWRC4?t=2492" ], "synonyms": [], "type": [] }, "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", "value": "QUADAGENT" }, { "description": "A set of powershell scripts, using services like Google Docs and Dropbox as C2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.randomquery", "https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/" ], "synonyms": [], "type": [] }, "uuid": "b0a67107-dff2-4fb9-a47e-10f83779bdbb", "value": "RandomQuery (Powershell)" }, { "description": "According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.rmot", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html" ], "synonyms": [], "type": [] }, "uuid": "7e79444b-95d9-422d-92f0-aeb833a7cbcd", "value": "RMOT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/" ], "synonyms": [], "type": [] }, "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", "value": "RogueRobin" }, { "description": "Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.royal_ransom", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" ], "synonyms": [], "type": [] }, "uuid": "1c75ffff-59f9-4fdc-958d-51f822f76c35", "value": "Royal Ransom (Powershell)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks", "https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1" ], "synonyms": [], "type": [] }, "uuid": "3c627182-e4ee-4db0-9263-9d657a5d7c98", "value": "Schtasks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.skyrat", "https://github.com/YSCHGroup/SkyRAT" ], "synonyms": [], "type": [] }, "uuid": "8e5d7d24-9cdd-4376-a6c7-967273dfeeab", "value": "skyrat" }, { "description": "sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html", "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/", "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", "https://blog.minerva-labs.com/sload-targeting-europe-again", "https://threatpost.com/sload-spying-payload-delivery-bits/151120/", "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/", "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/", "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", "https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/", "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf" ], "synonyms": [ "Starslord" ], "type": [] }, "uuid": "e78c0259-9299-4e55-b934-17c6a3ac4bc2", "value": "sLoad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.snugy", "https://unit42.paloaltonetworks.com/atoms/hunter-serpens/", "https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/" ], "synonyms": [], "type": [] }, "uuid": "773a6520-d164-4727-8351-c4201b04f10b", "value": "Snugy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.steelhook", "https://cert.gov.ua/article/6276894" ], "synonyms": [], "type": [] }, "uuid": "f963e3df-13d1-4fd0-abdd-792c0d05e41c", "value": "STEELHOOK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.subtle_paws", "https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/" ], "synonyms": [], "type": [] }, "uuid": "399258d3-6919-45f9-a557-10c3cbef9bd4", "value": "SUBTLE-PAWS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.swrort", "https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "3347a1bc-6b4d-459c-98a5-746bab12d011", "value": "Swrort Stager" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", "https://github.com/Kevin-Robertson/Tater" ], "synonyms": [], "type": [] }, "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", "value": "Tater PrivEsc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", "https://github.com/Mr-Un1k0d3r/ThunderShell" ], "synonyms": [], "type": [] }, "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", "value": "ThunderShell" }, { "description": "Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001", "https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/" ], "synonyms": [], "type": [] }, "uuid": "77231587-0dbe-4064-97b5-d7f4a2e3dc67", "value": "Unidentified PS 001" }, { "description": "A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002", "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/", "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/" ], "synonyms": [], "type": [] }, "uuid": "73578ff6-b218-4271-9bda-2a567ba3e259", "value": "Unidentified PS 002 (RAT)" }, { "description": "This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_003", "https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/" ], "synonyms": [], "type": [] }, "uuid": "709ba4ad-9ec5-4e0b-b642-96db3b7f6898", "value": "Unidentified PS 003 (RAT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_004", "https://somedieyoungzz.github.io/posts/kimsucky-2/" ], "synonyms": [], "type": [] }, "uuid": "a8f69576-676f-4536-b301-246ddd87ceeb", "value": "Unidentified PS 004 (RAT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.vipersoftx", "https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/", "https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga", "https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html" ], "synonyms": [], "type": [] }, "uuid": "15b551ea-b59a-40f9-a10f-6144415d2d5c", "value": "ViperSoftX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine", "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry", "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/", "https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf", "https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/", "https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/", "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/" ], "synonyms": [], "type": [] }, "uuid": "beb4f2b3-85d1-491d-8ae1-f7933f00f820", "value": "WannaMine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader", "https://twitter.com/blackorbird/status/1247834024711577601" ], "synonyms": [], "type": [] }, "uuid": "c9ef106e-def9-4229-8373-616a298ed645", "value": "WannaRen Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" ], "synonyms": [], "type": [] }, "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", "value": "WMImplant" }, { "description": "According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.androxgh0st", "https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/" ], "synonyms": [ "Androx", "AndroxGhost" ], "type": [] }, "uuid": "e8f24c9c-c03c-4740-a121-d73789931c8e", "value": "AndroxGh0st" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist", "https://github.com/NullArray/Archivist" ], "synonyms": [], "type": [] }, "uuid": "2095a09c-3fdd-4164-b82e-2e9a41affd8e", "value": "Archivist" }, { "description": "Ares is a Python RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.ares", "https://github.com/sweetsoftware/Ares", "https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/" ], "synonyms": [], "type": [] }, "uuid": "c4a578de-bebe-49bf-8af1-407857acca95", "value": "Ares (Python)" }, { "description": "Stealer written in Python 3, typically distributed bundled via PyInstaller.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber", "https://github.com/Blank-c/Blank-Grabber", "https://www.linkedin.com/feed/update/urn:li:activity:7247179869443264512/" ], "synonyms": [], "type": [] }, "uuid": "c41d4749-b713-4f4c-b718-4076c0479ebc", "value": "BlankGrabber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", "http://seclists.org/fulldisclosure/2017/Mar/7", "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/" ], "synonyms": [], "type": [] }, "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", "value": "BrickerBot" }, { "description": "Stealer written in Python.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.creal_stealer", "https://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/" ], "synonyms": [], "type": [] }, "uuid": "8a7becae-fc06-4ff1-b364-b26dd3d2edd9", "value": "Creal Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c", "https://github.com/0x09AL/DropboxC2C" ], "synonyms": [], "type": [] }, "uuid": "53dd4a8b-374e-48b6-a7c8-58af0e31f435", "value": "DropboxC2C" }, { "description": "Discord Stealer written in Python with Javascript-based inject files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.empyrean", "https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord" ], "synonyms": [], "type": [] }, "uuid": "b1aa0be3-b725-4135-b0b9-3a895d4ef047", "value": "Empyrean" }, { "description": "Ransomware written in Python.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.evil_ant", "https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/" ], "synonyms": [], "type": [] }, "uuid": "24d570c6-3ed4-4346-a8b1-9fed2ed67a95", "value": "Evil Ant" }, { "description": "According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.guard", "https://securelist.com/wildpressure-targets-macos/103072/" ], "synonyms": [], "type": [] }, "uuid": "ac3382b3-3c18-4b16-8f1b-b371794916ac", "value": "Guard" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.invisibleferret", "https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html", "https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers", "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/", "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west", "https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/", "https://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot" ], "synonyms": [], "type": [] }, "uuid": "332478a1-146f-406e-9af0-b329e478efff", "value": "InvisibleFerret" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer", "https://github.com/nairuzabulhul/KeyPlexer" ], "synonyms": [], "type": [] }, "uuid": "cadf8c9d-7bb0-40ad-8c8c-043b1d4b2e93", "value": "KeyPlexer" }, { "description": "The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne", "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia", "https://www.infinitumit.com.tr/apt-35/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf", "https://attack.mitre.org/groups/G0100/", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://attack.mitre.org/groups/G0100", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://fourcore.io/blogs/threat-hunting-browser-credential-stealing", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://github.com/AlessandroZ/LaZagne", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html" ], "synonyms": [], "type": [] }, "uuid": "c752f295-7f08-4cb0-92d5-a0c562abd08c", "value": "LaZagne" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.lofy", "https://securelist.com/lofylife-malicious-npm-packages/107014/" ], "synonyms": [ "LofyLife" ], "type": [] }, "uuid": "10882613-ac61-42da-82c8-c0f4bb2673f8", "value": "Lofy" }, { "description": "This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.lokirat", "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "synonyms": [], "type": [] }, "uuid": "5e7bb9d4-6633-49f8-8770-9ac1163e6531", "value": "Loki RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.masepie", "https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1", "https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/", "https://cert.gov.ua/article/6276894" ], "synonyms": [], "type": [] }, "uuid": "9233f6e6-9dd7-4b30-adaa-5baf5359d22a", "value": "MASEPIE" }, { "description": "An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph", "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/", "https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", "https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/", "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html", "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/", "https://www.lacework.com/keksec-tsunami-ryuk/", "https://blog.netlab.360.com/necro/", "https://github.com/lacework/lacework-labs/tree/master/keksec", "https://twitter.com/xuy1202/status/1393384128456794116", "https://www.lacework.com/blog/the-kek-security-network/", "https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/", "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", "https://www.lacework.com/the-kek-security-network/", "https://twitter.com/xuy1202/status/1392089568384454657" ], "synonyms": [ "FreakOut", "Necro" ], "type": [] }, "uuid": "2351539a-165a-4886-b5fe-f56fdf6b167a", "value": "N3Cr0m0rPh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.networm", "https://github.com/pylyf/NetWorm" ], "synonyms": [], "type": [] }, "uuid": "6c6acd00-cdc2-460d-8edf-003b84875b5d", "value": "NetWorm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pirat", "https://vk.com/m228228?w=wall306895781_177" ], "synonyms": [], "type": [] }, "uuid": "bca94d33-e5a1-4bcc-981e-f35fd74a79d1", "value": "PIRAT" }, { "description": "Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/", "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html", "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", "https://blog.talosintelligence.com/2020/10/poetrat-update.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "b07819a9-a2f7-454d-a520-c6424cbf1ed4", "value": "Poet RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.powerat", "https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi" ], "synonyms": [], "type": [] }, "uuid": "b5cb3d2b-0205-4883-aaff-0d0b7a7f032d", "value": "poweRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] }, "uuid": "afcc9bfc-1227-4bb0-a88a-5accdbfd58fa", "value": "pupy (Python)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader" ], "synonyms": [], "type": [] }, "uuid": "b9ba4f66-78dc-491f-8fd4-0143816ce80e", "value": "PyAesLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyark", "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" ], "synonyms": [], "type": [] }, "uuid": "01f15f4e-dd40-4246-9b99-c0d81306e37f", "value": "PyArk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyback", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001", "https://github.com/7h3w4lk3r/pyback" ], "synonyms": [], "type": [] }, "uuid": "6d96cd1e-98f4-4784-9982-397c5df19bd9", "value": "pyback" }, { "description": "According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyration", "https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/" ], "synonyms": [], "type": [] }, "uuid": "1dc471d3-6303-48a1-a17a-b4f29e5ba6a9", "value": "PY#RATION" }, { "description": "PyVil RAT", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil", "https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat", "https://twitter.com/ESETresearch/status/1360178593968623617" ], "synonyms": [], "type": [] }, "uuid": "2cf75f3c-116f-4faf-bd32-ba3a5e2327cf", "value": "PyVil" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.quietboard", "https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware" ], "synonyms": [], "type": [] }, "uuid": "6ebeed34-4a7d-44d8-ae44-83ae37cf5f2f", "value": "QUIETBOARD" }, { "description": "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.responder", "https://github.com/lgandx/Responder", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" ], "synonyms": [ "SpiderLabs Responder" ], "type": [] }, "uuid": "3271b5ca-c044-4ab8-bbfc-0d6e1a6601fc", "value": "Responder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", "https://www.youtube.com/watch?v=Bk-utzAlYFI", "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/" ], "synonyms": [], "type": [] }, "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", "value": "Saphyra" }, { "description": "According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.serpent", "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain", "https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/", "https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html", "https://labs.k7computing.com/index.php/uncovering-the-serpent/" ], "synonyms": [], "type": [] }, "uuid": "8052319b-f6da-4f53-a630-59245ff65eaf", "value": "Serpent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow", "https://github.com/TheSph1nx/SpaceCow" ], "synonyms": [], "type": [] }, "uuid": "ff5c0845-6740-45d5-bd34-1cf69c635356", "value": "SpaceCow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler", "https://habr.com/en/sandbox/135410/" ], "synonyms": [], "type": [] }, "uuid": "689247a2-4e75-4802-ab94-484fc3d6a18e", "value": "stealler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.stitch", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", "https://github.com/nathanlopez/Stitch" ], "synonyms": [], "type": [] }, "uuid": "6239201b-a0bd-4f01-8bbe-79c6fc5fa861", "value": "Stitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.stormous", "https://twitter.com/H4ckManac/status/1765707886246723617" ], "synonyms": [], "type": [] }, "uuid": "e2580f5e-417b-4f21-88ba-8d3e43514363", "value": "Stormous" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002" ], "synonyms": [], "type": [] }, "uuid": "7e5fe6ca-3323-409a-a5bb-d34f60197b99", "value": "unidentified_002" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003" ], "synonyms": [], "type": [] }, "uuid": "43282411-4999-4066-9b99-2e94a17acbd4", "value": "unidentified_003" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.upstyle", "https://unit42.paloaltonetworks.com/cve-2024-3400/", "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" ], "synonyms": [], "type": [] }, "uuid": "1824c463-77df-43af-a055-d94567918f6b", "value": "UPSTYLE" }, { "description": "Ransomware written in Python and delivered as compiled executable created using PyInstaller.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.venomous", "https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "0bd5aed2-9c74-41a5-9fcf-9379f2cb0e2c", "value": "Venomous" }, { "description": "Venus Stealer is a python based Infostealer observed early 2023.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.venus_stealer", "https://twitter.com/0xToxin/status/1625435116771180546", "https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/" ], "synonyms": [], "type": [] }, "uuid": "20f72d3c-87b7-4349-ad1b-59d7909c1df4", "value": "Venus Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.vilerat", "https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/" ], "synonyms": [], "type": [] }, "uuid": "aba54ca9-ef0d-4061-93d1-65251e90afad", "value": "VileRAT" }, { "description": "A basic info stealer w/ some capability to inject code into legit applications.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.w4sp_stealer", "https://github.com/Im4wasp/W4SP-Stealer-V2/tree/main", "https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/" ], "synonyms": [], "type": [] }, "uuid": "c4d46e47-3af8-4117-84ad-1e5699956f2b", "value": "W4SP Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.wirefire", "https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3" ], "synonyms": [ "GIFTEDVISITOR" ], "type": [] }, "uuid": "54f3e853-5f0e-4940-9e27-79e6991886f9", "value": "WIREFIRE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/sh.kv", "https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/", "https://www.securityweek.com/wp-content/uploads/2024/01/Volt-Typhoon.pdf", "https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/", "https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical" ], "synonyms": [], "type": [] }, "uuid": "37784130-81fd-40d7-87d4-38e5085513bd", "value": "KV" }, { "description": "A backdoor brought into version 5.6.0 and 5.6.1 of compression library/tool xz/liblzma, which was intended to enable access via (Open)SSH on affected servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/sh.xzbot", "https://www.wired.com/story/jia-tan-xz-backdoor/", "https://github.com/amlweems/xzbot", "https://gynvael.coldwind.pl/?lang=en&id=782", "https://www.openwall.com/lists/oss-security/2024/03/29/4", "https://twitter.com/fr0gger_/status/1774342248437813525", "https://medium.com/@DCSO_CyTec/xz-backdoor-how-to-check-if-your-systems-are-affected-fb169b638271", "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27", "https://www.linkedin.com/posts/threatmon_xz-utils-backdoor-cve-2024-3094-activity-7181228442791641088-rw2a?utm_source=share&utm_medium=member_desktop", "https://www.sentinelone.com/blog/xz-utils-backdoor-threat-actor-planned-to-inject-further-vulnerabilities/", "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094", "https://boehs.org/node/everything-i-know-about-the-xz-backdoor", "https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504", "https://github.com/karcherm/xz-malware" ], "synonyms": [ "xzorcist" ], "type": [] }, "uuid": "293b9d76-8e58-48bc-936b-e8dfb00f6f6c", "value": "xzbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "9f85f4fc-1cce-4557-b3d8-b9ef522fafb2", "value": "FlexiSpy (symbian)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.basicstar", "https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/" ], "synonyms": [], "type": [] }, "uuid": "ca86807d-5466-496a-b41f-4bde905f9064", "value": "BASICSTAR" }, { "description": "CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon", "https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ", "https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/", "https://sansorg.egnyte.com/dl/3P3HxFiNgL", "https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf", "https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf", "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/", "https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html", "https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf", "https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf", "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", "https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314", "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", "https://www.clearskysec.com/cryptocore-group/", "https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjCk7uOzMP-AhXOYMAKHYtLCKkQFnoECBIQAQ&url=https%3A%2F%2Fi.blackhat.com%2FUSA-22%2FThursday%2FUS-22-Wikoff-Talent-Need-Not-Apply.pdf&usg=AOvVaw0deqd7ozZyRTfSBOBmlbiG", "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md" ], "synonyms": [ "Cabbage RAT" ], "type": [] }, "uuid": "ea71b7c1-79eb-4e9c-a670-ea75d80132f4", "value": "CageyChameleon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks", "https://persianov.net/windows-worms-forbix-worm-analysis", "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99" ], "synonyms": [ "Forbix" ], "type": [] }, "uuid": "2ad12163-3a8e-4ece-969e-ac616303ebe1", "value": "forbiks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.ggldr", "https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control" ], "synonyms": [], "type": [] }, "uuid": "8ca31b9b-6e78-4dcc-9d14-dfd97d44994e", "value": "GGLdr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.glowspark", "https://inquest.net/blog/2022/02/10/380-glowspark" ], "synonyms": [], "type": [] }, "uuid": "ab6f8b6d-f0a0-4d2c-a81b-2dcb146914ea", "value": "GlowSpark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju", "https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce", "https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8" ], "synonyms": [], "type": [] }, "uuid": "f0a64323-62a6-4c5a-bb3d-44bd3b11507f", "value": "Grinju Downloader" }, { "description": "The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\n\r\n info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI \r\n queries\r\n processList: Send list of process running\r\n screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\n runvbs: Executes a VB script\r\n runexe: Executes EXE file\r\n runps1: Executes PowerShell script\r\n delete: Delete the specified file\r\n update: Update the specified file", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://attack.mitre.org/software/S0151/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "synonyms": [], "type": [] }, "uuid": "095c995c-c916-488e-944d-a3f4b9842926", "value": "HALFBAKED" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.homesteel", "https://cert.gov.ua/article/6281076" ], "synonyms": [], "type": [] }, "uuid": "9058df01-6f7c-447e-9a68-83a41ef2f15f", "value": "HOMESTEEL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou", "https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186" ], "synonyms": [ "Love Bug", "LoveLetter" ], "type": [] }, "uuid": "bba3f3c9-f65f-45f1-a482-7209b9fa5adb", "value": "Iloveyou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.janicab", "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/" ], "synonyms": [], "type": [] }, "uuid": "b3cb5859-2049-43d3-aed2-73db45ed0112", "value": "Janicab (VBScript)" }, { "description": "Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files.\r\nThe malware targets banking clients in Portugal.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion", "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf", "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/", "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/", "https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/", "https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html", "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/", "https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf", "https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing", "https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years", "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader" ], "synonyms": [], "type": [] }, "uuid": "97f89048-2a57-48d5-9272-0d1061a14eca", "value": "lampion" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.litterdrifter", "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "synonyms": [], "type": [] }, "uuid": "31f64da5-e20b-4aa8-acf6-029bca10a7e6", "value": "LitterDrifter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lockscreen", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/" ], "synonyms": [], "type": [] }, "uuid": "a583a2db-616e-48e5-b12b-088a378c2307", "value": "lockscreen" }, { "description": "MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.mouseisland", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html" ], "synonyms": [], "type": [] }, "uuid": "e9afcd80-c1c6-4194-af32-133fe31e835f", "value": "MOUSEISLAND" }, { "description": "Downloads NodeJS when deployed.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom", "https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "93c87125-7150-4bc6-a0f9-b46ff8de1839", "value": "NodeJS Ransomware" }, { "description": "According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.randomquery", "https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "76fd3fcb-151d-4880-b97e-ea890c337aad", "value": "RandomQuery (VBScript)" }, { "description": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter", "https://github.com/Cn33liz/StarFighters" ], "synonyms": [], "type": [] }, "uuid": "e24b852c-3ede-42ac-8d04-68ab96bf53a0", "value": "Starfighter (VBScript)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starwhale", "https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html", "https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706", "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/", "https://blog.talosintelligence.com/iranian-supergroup-muddywater/", "https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/", "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html" ], "synonyms": [ "Canopy", "SloughRAT" ], "type": [] }, "uuid": "27c70673-d40e-46a2-8f47-13cc5738ff36", "value": "STARWHALE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001", "https://twitter.com/JohnLaTwC/status/1118278148993339392" ], "synonyms": [], "type": [] }, "uuid": "ba354d45-bc41-40cd-93b2-26139db296bd", "value": "Unidentified VBS 001" }, { "description": "Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002", "https://www.clearskysec.com/operation-kremlin/" ], "synonyms": [], "type": [] }, "uuid": "d8e8d701-ebe4-44ab-8c5b-70a11246ddf1", "value": "Unidentified 002 (Operation Kremlin)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003", "https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/", "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt" ], "synonyms": [], "type": [] }, "uuid": "d5955c4b-f507-4b3f-8d57-080849aba831", "value": "Unidentified 003 (Gamaredon Downloader)" }, { "description": "Lab52 describes this as a light first-stage RAT used by MuddyWater and observed samples between at least November 2020 and January 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_004", "https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/" ], "synonyms": [], "type": [] }, "uuid": "84c6b483-ba17-4a22-809d-dc37d9ce1822", "value": "Unidentified VBS 004 (RAT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_005", "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", "https://unit42.paloaltonetworks.com/trident-ursa/" ], "synonyms": [], "type": [] }, "uuid": "8eb8ebbc-c5b1-47d8-816a-4e21dee145c3", "value": "Unidentified VBS 005 (Telegram Loader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_006", "https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations", "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/" ], "synonyms": [], "type": [] }, "uuid": "a6bd28db-c1a3-44b1-8bc3-7882e2896d67", "value": "Unidentified VBS 006 (Telegram Loader)" }, { "description": "According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell", "https://www.linkedin.com/feed/update/urn:li:activity:7137086303329783808/", "https://www.mandiant.com/media/17826", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "991179a0-efd5-450a-a1ce-78d1109bb50b", "value": "VBREVSHELL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.wasabiseed", "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me", "https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/" ], "synonyms": [], "type": [] }, "uuid": "0c6568da-7017-4d9f-b077-0c486b3f9057", "value": "WasabiSeed" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.whiteshadow", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware" ], "synonyms": [], "type": [] }, "uuid": "dc857b7d-f228-4aa5-9e89-f7e17bb7ea8c", "value": "WhiteShadow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.000stealer", "https://twitter.com/3xp0rtblog/status/1509978637189419008" ], "synonyms": [], "type": [] }, "uuid": "24e598cf-4c55-468a-ac1d-cc4f89104943", "value": "000Stealer" }, { "description": "Information stealer, based on strings it seems to target crypto currencies, instant messengers, and browser data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.0bj3ctivity_stealer", "https://twitter.com/suyog41/status/1688797716447432704", "https://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/" ], "synonyms": [ "PXRECVOWEIWOEI" ], "type": [] }, "uuid": "ac22ee6f-0d15-4edb-8ea5-1675df57597c", "value": "0bj3ctivityStealer" }, { "description": "According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor", "https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html", "https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023", "https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/", "https://securelist.com/it-threat-evolution-q2-2023/110355/", "https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social", "https://www.youtube.com/watch?v=fTX-vgSEfjk", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/", "https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality", "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", "https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html", "https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/", "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack", "https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack", "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update" ], "synonyms": [ "SUDDENICON" ], "type": [] }, "uuid": "b6a00e25-9d8d-4ebc-b9fc-7fd41797303b", "value": "3CX Backdoor (Windows)" }, { "description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://twitter.com/James_inthe_box/status/1401921257109561353", "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89", "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://any.run/cybersecurity-blog/analyzing-snake-keylogger/", "https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/", "https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html", "https://blog.netlab.360.com/purecrypter", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/", "https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware", "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", "https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter", "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", "https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/", "https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/", "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://cert.gov.ua/article/955924", "https://www.youtube.com/watch?v=vzyJp2w8bPE", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/", "https://habr.com/ru/company/group-ib/blog/477198/", "https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger", "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102", "https://zw01f.github.io/malware%20analysis/snake/" ], "synonyms": [ "404KeyLogger", "Snake Keylogger" ], "type": [] }, "uuid": "6b87fada-86b3-449d-826d-a89858121b68", "value": "404 Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat", "https://attack.mitre.org/groups/G0024", "https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf" ], "synonyms": [], "type": [] }, "uuid": "823f4eb9-ad37-4fab-8e69-3bdae47a0028", "value": "4h_rat" }, { "description": "Downloader used in suspected APT attack against Vietnam.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.5t_downloader", "https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/", "https://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/", "https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/", "https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/", "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/" ], "synonyms": [], "type": [] }, "uuid": "685c9c30-aa9f-43ee-a262-43c17c350049", "value": "5.t Downloader" }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n", "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", "value": "7ev3n" }, { "description": "The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.8base", "https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/", "https://socradar.io/dark-web-profile-8base-ransomware/", "https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html", "https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/", "https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/", "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", "https://twitter.com/rivitna2/status/1674718854549831681", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape", "https://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack", "https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/" ], "synonyms": [], "type": [] }, "uuid": "7ee60640-29cd-4127-b805-1f2b753e9e15", "value": "8Base" }, { "description": "8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://blog.malwarelab.pl/posts/on_the_royal_road/", "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/", "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", "https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf", "https://community.riskiq.com/article/56fa1b2f", "https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf", "https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241", "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba", "https://community.riskiq.com/article/5fe2da7f", "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a" ], "synonyms": [ "8t_dropper", "RoyalRoad" ], "type": [] }, "uuid": "df755d5f-db11-417d-8fed-b7abdc826590", "value": "8.t Dropper" }, { "description": "9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim's machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/", "https://www.infopoint-security.de/medien/the-elderwood-project.pdf", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://attack.mitre.org/groups/G0001/", "https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html", "https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", "https://www.youtube.com/watch?v=-7Swd1ZetiQ", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html" ], "synonyms": [ "HOMEUNIX", "Hydraq", "McRAT" ], "type": [] }, "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", "value": "9002 RAT" }, { "description": "Uses Discord as C&C, has ransomware feature.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon", "https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/" ], "synonyms": [], "type": [] }, "uuid": "97be2d1a-878d-46bd-8ee7-d8798ec61ef1", "value": "Abaddon" }, { "description": "MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", "https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/", "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "synonyms": [ "PinkKite", "TinyPOS" ], "type": [] }, "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", "value": "AbaddonPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes" ], "synonyms": [], "type": [] }, "uuid": "27b54000-26b5-405f-9296-9fbc9217a8c9", "value": "abantes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" ], "synonyms": [], "type": [] }, "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", "value": "Abbath Banker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abcsync", "https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/" ], "synonyms": [], "type": [] }, "uuid": "1e6afd04-d7d1-43a0-9ca5-082d418bd397", "value": "ABCsync" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader", "https://twitter.com/cocaman/status/1260069549069733888", "https://github.com/Tlgyt/AbSent-Loader" ], "synonyms": [], "type": [] }, "uuid": "532d67fc-0c93-4345-80c4-0c1657056d5e", "value": "AbSent Loader" }, { "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor", "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/" ], "synonyms": [], "type": [] }, "uuid": "9aa1a516-bd88-4038-a37d-cf66c607e68c", "value": "ACBackdoor (Windows)" }, { "description": "ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas" ], "synonyms": [], "type": [] }, "uuid": "51f8c94a-572f-450b-a52f-d3da96302d6b", "value": "ACEHASH" }, { "description": "Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox", "https://www.epicturla.com/blog/acidbox-clustering", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://unit42.paloaltonetworks.com/acidbox-rare-malware/", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "synonyms": [ "MagicScroll" ], "type": [] }, "uuid": "4ccc1ec4-6008-4788-95d9-248749f5a7fe", "value": "AcidBox" }, { "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" ], "synonyms": [], "type": [] }, "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", "value": "AcridRain" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym" ], "synonyms": [], "type": [] }, "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", "value": "Acronym" }, { "description": "First introduced in March 2024, ACR Stealer is an information stealer sold as a Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums by a threat actor named \"SheldIO\". Researchers posit that this malware is an evolved version of the GrMsk Stealer, which likely aligns with the private stealer that SheldIO has been selling since July 2023. The malware, written in C++, is compatible with Windows 7 through 10, and the seller manages all command and control (C2) infrastructure. ACR Stealer can harvest system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs. Additionally, it employs the dead drop resolver (DDR) technique to obfuscate the actual C2 infrastructure.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer", "https://twitter.com/sekoia_io/status/1784943443157930449", "https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/", "https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed" ], "synonyms": [], "type": [] }, "uuid": "9d80476e-7121-4eeb-a39f-689d8eb872ab", "value": "ACR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat", "https://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence", "https://threatmon.io/unraveling-the-complex-infection-chain-analysis-of-the-sidecopy-apts-attack-report/", "https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/", "https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/" ], "synonyms": [], "type": [] }, "uuid": "57df4c54-3fff-49dd-9657-19265a66f5de", "value": "Action RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief", "https://twitter.com/ClearskySec/status/1377176015189929989", "https://github.com/LimerBoy/Adamantium-Thief" ], "synonyms": [], "type": [] }, "uuid": "28e01527-dbb5-4331-b5bf-5658ebf58297", "value": "Adamantium Thief" }, { "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", "https://twitter.com/JaromirHorejsi/status/813712587997249536", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" ], "synonyms": [], "type": [] }, "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", "value": "AdamLocker" }, { "description": "Some Ransomware distributed by TA547 in Australia", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka", "https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign" ], "synonyms": [], "type": [] }, "uuid": "ebf31d45-922a-42ad-b326-8a72ba6dead7", "value": "Adhubllka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" ], "synonyms": [], "type": [] }, "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", "value": "AdKoob" }, { "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot", "https://www.bromium.com/second-stage-attack-analysis/" ], "synonyms": [], "type": [] }, "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", "value": "AdvisorsBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" ], "synonyms": [], "type": [] }, "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", "value": "Adylkuzz" }, { "description": "Ransomware written using .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aesrt", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants" ], "synonyms": [], "type": [] }, "uuid": "fb0eb7a8-ab32-4371-96b7-2d19f9064ac5", "value": "AESRT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita", "https://twitter.com/_CPResearch_/status/1201957880909484033", "https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md", "https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "4c9f8ad2-ace4-42e5-ab70-efdfaad4d1bd", "value": "Afrodita" }, { "description": "Ransomware written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt", "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", "https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt" ], "synonyms": [ "Agenda", "Qilin" ], "type": [] }, "uuid": "d430e861-07d3-442a-8444-0bf87e660c26", "value": "AgendaCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", "https://docs.broadcom.com/doc/waterbug-attack-group", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d", "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", "https://artemonsecurity.com/snake_whitepaper.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "https://unit42.paloaltonetworks.com/ironnetinjector/", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/" ], "synonyms": [ "ComRAT", "Minit", "Sun rootkit" ], "type": [] }, "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "value": "Agent.BTZ" }, { "description": "Agent Racoon is a .NET-based backdoor malware that leverages DNS for covert C2 communication, employing randomized subdomains and Punycode encoding to evade detection. It features encrypted communication using a unique key per sample, supports remote command execution, and facilitates file transfers. Despite lacking an inherent persistence mechanism, it relies on external methods like scheduled tasks for execution. The malware, active since at least 2020, has targeted organizations in the U.S., Middle East, and Africa, including non-profits and government sectors. It disguises itself as legitimate binaries such as Google Update and MS OneDrive Updater, using obfuscation techniques like Base64 encoding and timestamp modifications to avoid detection​.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_racoon", "https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" ], "synonyms": [], "type": [] }, "uuid": "f3dde421-0f6b-4a2e-b591-64820169ef1a", "value": "Agent Racoon" }, { "description": "A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.inde.nz/blog/inside-agenttesla", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/", "https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla", "https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/", "https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", "https://www.telsy.com/download/4832/", "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", "https://www.youtube.com/watch?v=Q9_1xNbVQPY", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", "https://isc.sans.edu/diary/rss/28190", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", "https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf", "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir", "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", "https://isc.sans.edu/diary/27666", "https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware", "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", "https://malwarebookreports.com/agent-teslaggah/", "https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/", "https://isc.sans.edu/diary/28202", "https://viuleeenz.github.io/posts/2023/08/agent-tesla-building-an-effective-decryptor/", "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", "https://guillaumeorlando.github.io/AgentTesla", "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1", "https://blog.minerva-labs.com/preventing-agenttesla", "https://cert.gov.ua/article/861292", "https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Agent%20Tesla/Agent%20Tesla%20Technical%20Analysis%20Report.pdf", "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://blog.talosintelligence.com/ipfs-abuse/", "https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354", "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", "https://inquest.net/blog/2021/11/02/adults-only-malware-lures", "https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137", "https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/", "https://isc.sans.edu/diary/rss/27092", "https://lab52.io/blog/a-twisted-malware-infection-chain/", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", "https://stairwell.com/resources/proactive-response-anydesk-any-breach/", "https://www.infinitumit.com.tr/agent-tesla-malware-raporu/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://asec.ahnlab.com/ko/29133/", "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/", "https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825", "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", "https://youtu.be/hxaeWyK8gMI", "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://blog.netlab.360.com/purecrypter", "https://guillaumeorlando.github.io/GorgonInfectionchain", "https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html", "https://youtu.be/QQuRp7Qiuzg", "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", "http://ropgadget.com/posts/originlogger.html", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://community.riskiq.com/article/56e28880", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware", "https://youtu.be/BM38OshcozE", "https://unit42.paloaltonetworks.com/originlogger/", "https://twitter.com/MsftSecIntel/status/1392219299696152578", "https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", "https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/", "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/", "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", "https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/", "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", "https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor", "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/", "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://securelist.com/agent-tesla-malicious-spam-campaign/107478/", "https://community.riskiq.com/article/40000d46", "http://blog.nsfocus.net/sweed-611/", "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/", "https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ", "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", "https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs", "https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/", "https://blog.malwarelab.pl/posts/basfu_aggah/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://isc.sans.edu/diary/27088", "https://www.secureworks.com/research/darktortilla-malware-analysis", "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/", "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://youtu.be/7AifHTCldZI", "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html", "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/", "https://cyber-forensics.blog/2024/05/06/formbook-analysis/", "https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware", "https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://community.riskiq.com/article/6337984e", "http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" ], "synonyms": [ "AgenTesla", "AgentTesla", "Negasteal" ], "type": [] }, "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", "value": "Agent Tesla" }, { "description": "The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy", "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html" ], "synonyms": [], "type": [] }, "uuid": "405fe149-1454-4e8c-a4a3-d56e0c5f62d7", "value": "AgfSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ahtapot", "https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf" ], "synonyms": [], "type": [] }, "uuid": "549b23b1-6f53-494e-a302-1d00aa71043b", "value": "Ahtapot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira", "https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/", "https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/", "https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/", "https://www.intrinsec.com/akira_ransomware/", "https://cybercx.com.au/blog/akira-ransomware/", "https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/", "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape", "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/", "https://securelist.com/crimeware-report-fakesg-akira-amos/111483/", "https://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques", "https://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat", "https://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480", "https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/", "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Ransomware/Akira/Akira-The_old_new_style_crime_EN_Aaron_Jornet.pdf", "https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/", "https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/", "https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html", "https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/", "https://twitter.com/MalGamy12/status/1651972583615602694" ], "synonyms": [], "type": [] }, "uuid": "834635f7-fb0f-472c-913e-fb112ae29fdc", "value": "Akira (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia", "https://blog.group-ib.com/task", "https://www.group-ib.com/blog/task/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", "https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" ], "synonyms": [ "BlueTraveller" ], "type": [] }, "uuid": "dff7e10c-41ca-481d-8003-73169803272d", "value": "Albaniiutas" }, { "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" ], "synonyms": [], "type": [] }, "uuid": "43ec8adc-0658-4765-be20-f22679097fab", "value": "Aldibot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer", "https://twitter.com/3xp0rtblog/status/1344352253294104576", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware" ], "synonyms": [], "type": [] }, "uuid": "a76874b3-12d0-4dec-9813-01819e6b6d49", "value": "Alfonso Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.symantec.com/security-center/writeup/2016-122104-0203-99", "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" ], "synonyms": [ "AliceATM", "PrAlice" ], "type": [] }, "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", "value": "Project Alice" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", "https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/", "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/", "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/" ], "synonyms": [ "alina_eagle", "alina_spark", "katrina" ], "type": [] }, "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", "value": "Alina POS" }, { "description": "AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d", "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://github.com/Anderson-D/AllaKore", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", "https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/", "https://threatmon.io/the-anatomy-of-a-sidecopy-attack-from-rar-exploits-to-allakore-rat/", "https://twitter.com/_re_fox/status/1212070711206064131", "https://www.team-cymru.com/post/allakore-d-the-sidecopy-train", "https://blog.talosintelligence.com/2021/07/sidecopy.html", "https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", "https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/" ], "synonyms": [], "type": [] }, "uuid": "fb1c6035-42ee-403c-a2ae-a53f7ab2de00", "value": "AllaKore" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/", "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf" ], "synonyms": [ "Starman" ], "type": [] }, "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", "value": "Allaple" }, { "description": "Allcome is classified as a clipper malware. Clippers are threats designed to access information saved in the clipboard (the temporary buffer space where copied data is stored) and substitute it with another. This attack is targeted at users who are active in the cryptocurrency sector mainly.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allcomeclipper", "https://bazaar.abuse.ch/browse/signature/AllcomeClipper/", "https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums" ], "synonyms": [], "type": [] }, "uuid": "43ca1245-a5e0-4b44-9892-cf317170c7b8", "value": "AllcomeClipper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.almanahe", "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [], "type": [] }, "uuid": "352f79b1-6862-4164-afa3-a1d787c40ec1", "value": "Almanahe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" ], "synonyms": [], "type": [] }, "uuid": "a0881a0c-e677-495b-b475-290af09bb716", "value": "Alma Communicator" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" ], "synonyms": [], "type": [] }, "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", "value": "AlmaLocker" }, { "description": "AlmondRAT is a .NET Remote Access Trojan deployed by the Bitter APT group. It is capable of collecting system information, modifying and exfiltrating data and allows for remote command execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.almondrat", "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/" ], "synonyms": [], "type": [] }, "uuid": "c5fa22fd-5869-4a4d-b5fc-c3be18255d2e", "value": "AlmondRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", "value": "ALPC Local PrivEsc" }, { "description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", "https://twitter.com/JaromirHorejsi/status/813714602466877440" ], "synonyms": [], "type": [] }, "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", "value": "Alphabet Ransomware" }, { "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", "https://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html", "https://blog.cylance.com/an-introduction-to-alphalocker" ], "synonyms": [], "type": [] }, "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", "value": "AlphaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" ], "synonyms": [], "type": [] }, "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", "value": "AlphaNC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphaseed", "https://asec.ahnlab.com/en/60054/", "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2", "https://medium.com/s2wblog/detailed-analysis-of-alphaseed-a-new-version-of-kimsukys-appleseed-written-in-golang-2c885cce352a" ], "synonyms": [], "type": [] }, "uuid": "966c5a6d-16b8-43b1-acbd-163e904d4a03", "value": "AlphaSeed" }, { "description": "Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.\r\n\r\nIt uses either RC4 or DES for encryption of its configuration, which is stored in the registry.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, \r\nsystem locale, and network configuration.\r\n\r\nIt supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.\r\n\r\nIt comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).\r\n\r\nAlreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/", "https://securelist.com/lazarus-under-the-hood/77908/" ], "synonyms": [], "type": [] }, "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", "value": "Alreay" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", "https://twitter.com/Sebdraven/status/1496878431719473155", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt", "https://www.youtube.com/watch?v=FttiysUZmDw", "https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf", "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", "https://securelist.com/tdss/36314/", "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/" ], "synonyms": [ "Olmarik", "Pihar", "TDL", "TDSS", "wowlik" ], "type": [] }, "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", "value": "Alureon" }, { "description": "Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \"tasks\") for all or specifically targeted computers compromised by the malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_config_extractor.ipynb", "https://embeeresearch.io/shodan-censys-queries/", "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/", "https://embee-research.ghost.io/amadey-bot-infrastructure/", "https://twitter.com/ViriBack/status/1062405363457118210", "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/", "https://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-amadey-56c8c6ea0ad6", "https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html", "https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat", "https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/", "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4", "https://embee-research.ghost.io/shodan-censys-queries/", "https://twitter.com/0xffff0800/status/1062948406266642432", "https://embeeresearch.io/redline-stealer-basic-static-analysis-and-c2-extraction/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey", "https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://asec.ahnlab.com/en/36634/", "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_string_decryptor.py", "https://www.linkedin.com/posts/idan-tarab-7a9057200_apt-ttps-coralraider-activity-7238998746254999553-57LG/", "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://asec.ahnlab.com/en/41450/", "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/", "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/", "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer", "https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://isc.sans.edu/diary/27264", "https://asec.ahnlab.com/en/44504/", "https://asec.ahnlab.com/en/59590/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://nao-sec.org/2019/04/Analyzing-amadey.html", "https://www.anquanke.com/post/id/230116", "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://asec.ahnlab.com/en/40483/", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_1_kasuya_en.pdf", "https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/", "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" ], "synonyms": [], "type": [] }, "uuid": "77f2c81f-be07-475a-8d77-f59b4847f696", "value": "Amadey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "Adupihan" ], "type": [] }, "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", "value": "AMTsol" }, { "description": "Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom", "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" ], "synonyms": [], "type": [] }, "uuid": "2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4", "value": "Anatova Ransomware" }, { "description": "Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://isc.sans.edu/diary/27308", "https://www.netscout.com/blog/asert/dropping-anchor", "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/" ], "synonyms": [], "type": [] }, "uuid": "c38308a1-c89d-4835-b057-744f66ff7ddc", "value": "Anchor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormail", "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/", "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/" ], "synonyms": [ "ANCHOR.MAIL", "Delegatz" ], "type": [] }, "uuid": "7792096a-7623-43a1-9a67-28dce0e4b39e", "value": "AnchorMail" }, { "description": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormtea", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "http://report.threatbook.cn/LS.pdf", "https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/" ], "synonyms": [], "type": [] }, "uuid": "565de3f5-7eb7-43ca-a9d9-b588dfd6a50a", "value": "AnchorMTea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor", "https://asec.ahnlab.com/en/56405/", "https://asec.ahnlab.com/ko/47751/", "https://asec.ahnlab.com/ko/56256/" ], "synonyms": [ "ROCKHATCH" ], "type": [] }, "uuid": "59a2437b-ae63-466a-9172-60d6610c3e19", "value": "Andardoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://blog.avast.com/andromeda-under-the-microscope", "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html", "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity", "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/" ], "synonyms": [ "B106-Gamarue", "B67-SS-Gamarue", "Gamarue", "b66" ], "type": [] }, "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", "value": "Andromeda" }, { "description": "According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [ "Gelup" ], "type": [] }, "uuid": "85673cd4-fb05-4f6d-94ec-71290ae2e422", "value": "AndroMut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf" ], "synonyms": [ "UPPERCUT", "lena" ], "type": [] }, "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", "value": "Anel" }, { "description": "Ransomware that demands payment in Bitcoin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus", "http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html", "https://github.com/albertzsigovits/malware-notes/blob/master/Antefrigus.md" ], "synonyms": [], "type": [] }, "uuid": "04788457-5b72-4a66-8f2c-73497919ece2", "value": "AnteFrigus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" ], "synonyms": [ "Latinus" ], "type": [] }, "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", "value": "Antilam" }, { "description": "According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis", "https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/", "https://twitter.com/MsftSecIntel/status/1298752223321546754", "https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [ "Anubis Stealer" ], "type": [] }, "uuid": "b19c9f63-a18d-47bb-a9fe-1f9cea21bac0", "value": "Anubis (Windows)" }, { "description": "A loader written in Go, tracked since at least October 2021 by ZeroFox. Originally named Kraken and rebranded to Anubis in February 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis_loader", "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", "https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/", "https://windowsreport.com/kraken-botnet/", "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e" ], "synonyms": [ "Kraken", "Pepega" ], "type": [] }, "uuid": "e65ca164-f448-4f8e-a672-3ff7ec37e191", "value": "Anubis Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aperetif", "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "synonyms": [], "type": [] }, "uuid": "573eb306-f6c7-4ba9-91a9-881473d335b8", "value": "APERETIF" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" ], "synonyms": [], "type": [] }, "uuid": "d3e16d46-e436-4757-b962-6fd393056415", "value": "Apocalipto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" ], "synonyms": [], "type": [] }, "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", "value": "Apocalypse" }, { "description": "This is an implant usable with the Mythic C2 framework. Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apollo", "https://github.com/MythicAgents/Apollo" ], "synonyms": [], "type": [] }, "uuid": "f995662c-27ad-440b-97ce-f1ecd2b59221", "value": "Apollo" }, { "description": "Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apostle", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/", "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf", "https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/", "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/", "https://assets.sentinelone.com/sentinellabs/evol-agrius" ], "synonyms": [], "type": [] }, "uuid": "cb2d3a6f-8ff5-4b08-af95-7377cfe3f7c3", "value": "Apostle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", "https://www.telsy.com/download/5394/?uid=28b0a4577e", "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://twitter.com/VK_Intel/status/1182730637016481793", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f" ], "synonyms": [], "type": [] }, "uuid": "2b655949-8a17-46e5-9522-519c6d77c45f", "value": "AppleJeus (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed", "https://asec.ahnlab.com/en/30532/", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf", "https://asec.ahnlab.com/ko/26705/", "https://asec.ahnlab.com/en/36368/", "https://www.youtube.com/watch?v=Dv2_DK3tRgI", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf", "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf", "https://asec.ahnlab.com/ko/36918/", "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf", "https://asec.ahnlab.com/en/59590/", "https://asec.ahnlab.com/en/41015/", "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://www.telsy.com/download/5654/?uid=4869868efd", "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2", "https://asec.ahnlab.com/ko/54804/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", "https://asec.ahnlab.com/en/60054/", "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ "JamBog" ], "type": [] }, "uuid": "c7f8e3b8-328d-43c3-9235-9a2f704389b4", "value": "Appleseed" }, { "description": "According to f-secure, Ardamax is a commercial keylogger program that can be installed onto the system from the product's website.& When run, the program can capture a range of user activities, such as keystrokes typed, instant messenger chat logs, web browser activity and even screenshots of the active desktop.\r\n\r\nThis program can be configured to a complete stealth mode, with password protection, to avoid user detection.\r\n\r\nThe information gathered is stored in an encrypted log file, which is only viewable using the built-in Log Viewer. The log file can be sent to an external party through e-mail, via a local area network (LAN) or by upload to an FTP server (in either HTML or encrypted format).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576" ], "synonyms": [], "type": [] }, "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", "value": "ArdaMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", "value": "Arefty" }, { "description": "A banking trojan, derived from the source code of win.kronos. In August 2022 it started to incorporate DGA code from win.qakbot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ares", "https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga", "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan" ], "synonyms": [], "type": [] }, "uuid": "a711ad02-0120-41a1-8c03-8a857a7dc297", "value": "Ares (Windows)" }, { "description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums “RAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader", "https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/", "https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html", "https://flashpoint.io/blog/private-malware-for-sale-aresloader/", "https://twitter.com/k3dg3/status/1636873721200746496", "https://intel471.com/blog/new-loader-on-the-bloc-aresloader" ], "synonyms": [], "type": [] }, "uuid": "1bd6c2ab-341e-43e1-90ca-2e7509828268", "value": "AresLoader" }, { "description": "During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called \"ArguePatch\" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray's Remote Debugger Server (win32_remote.exe).\r\nArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arguepatch", "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" ], "synonyms": [], "type": [] }, "uuid": "e9b4bec3-ad18-49cc-b6af-c0ffcc283153", "value": "ArguePatch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody", "https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1", "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf", "https://securelist.com/it-threat-evolution-q2-2020/98230", "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/", "https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html", "https://securelist.com/naikons-aria/96899/" ], "synonyms": [], "type": [] }, "uuid": "5fa1c068-8e73-4930-b6fe-8c92c6357df6", "value": "Aria-body" }, { "description": "This malware is a Go written variant of Micropsia and according to DeepInstinct it is still in development.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aridgopher", "https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/", "https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks" ], "synonyms": [], "type": [] }, "uuid": "2037d9f1-bf2a-44e1-b04f-98fe3f961381", "value": "Arid Gopher" }, { "description": "Helper malware associated with AridGopher, which will provide an alternative persistence mechanism in case \"360 total security\" is found on a target system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aridhelper", "https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant" ], "synonyms": [], "type": [] }, "uuid": "6bd3759f-5961-423d-9437-c67bddcda458", "value": "AridHelper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", "http://remote-keylogger.net/" ], "synonyms": [ "Aaron Keylogger" ], "type": [] }, "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", "value": "Arik Keylogger" }, { "description": "Arkei is a stealer that appeared around May 2018. It collects data about browsers (saved passwords and autofill forms), cryptocurrency wallets, and steal files matching an attacker-defined pattern. It then exfiltrates everything in a zip file uploaded to the attacker's panel. Later, it was forked and used as a base to create Vidar stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/", "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/", "https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets", "https://isc.sans.edu/diary/rss/28468", "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer", "https://drive.google.com/file/d/1wTH-BZrjxEBZwCnXJ3pQWGB7ou0IoBEr/view", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://threatmon.io/arkei-stealer-analysis-threatmon/", "https://m4lcode.github.io/malware%20analysis/vidar/", "https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/", "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://ke-la.com/information-stealers-a-new-landscape/" ], "synonyms": [ "ArkeiStealer" ], "type": [] }, "uuid": "59eff508-7f26-4fd8-b526-5772a9f3d9a6", "value": "Arkei Stealer" }, { "description": "It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat", "https://www.arrowrat.com" ], "synonyms": [], "type": [] }, "uuid": "3d5608dc-1e0d-40cb-8a17-3a8d7efb1c53", "value": "ArrowRAT" }, { "description": "ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", "https://twitter.com/Racco42/status/1001374490339790849", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/", "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/" ], "synonyms": [], "type": [] }, "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045e", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/" ], "synonyms": [], "type": [] }, "uuid": "bc0ad216-9b56-489e-858d-68522e1fdfaf", "value": "ARTFULPIE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/", "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", "https://www.freebuf.com/articles/database/192726.html" ], "synonyms": [], "type": [] }, "uuid": "05de9c50-5958-4d02-b1a0-c4a2367c2d22", "value": "Artra Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asbit", "https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan" ], "synonyms": [], "type": [] }, "uuid": "488b735f-9138-4970-9d20-77132f4a82d6", "value": "Asbit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" ], "synonyms": [], "type": [] }, "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", "value": "AscentLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" ], "synonyms": [], "type": [] }, "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", "value": "ASPC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/" ], "synonyms": [ "Aseljo", "BadSrc" ], "type": [] }, "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", "value": "Asprox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/" ], "synonyms": [], "type": [] }, "uuid": "a51595aa-a399-4332-a14d-a378bae609e7", "value": "Asruex" }, { "description": "First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research", "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/", "https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962", "https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/", "https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://isc.sans.edu/diary/27482", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/", "https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.easysol.net/meet-lucifer-international-trojan/", "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/", "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/" ], "synonyms": [ "Guildma" ], "type": [] }, "uuid": "0cdb83dd-106b-458e-8d04-ca864281e06e", "value": "Astaroth" }, { "description": "Astasia is a banking trojan that spreads through phishing emails that contain an executable attachment. Once the attachment is executed, Astasia downloads and installs a trojan that runs in the background. The trojan can steal personal information, such as passwords and credit card numbers, from victims.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astasia", "https://twitter.com/MalGamy12/status/1690100567756906497" ], "synonyms": [], "type": [] }, "uuid": "6cc38bdd-f7ac-4775-bc41-69e72b761ab5", "value": "Astasia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker", "https://blog.malwarebytes.com/ransomware/2022/07/astralocker-2-0-ransomware-isnt-going-to-give-you-your-files-back/", "https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs", "https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/", "https://www.emsisoft.com/ransomware-decryption-tools/astralocker" ], "synonyms": [], "type": [] }, "uuid": "d32a6790-57c7-4985-b6e0-5b73f025fb43", "value": "AstraLocker" }, { "description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://community.riskiq.com/article/ade260c6", "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "https://labs.k7computing.com/?p=21759", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://blog.morphisec.com/syk-crypter-discord", "https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat", "https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/", "https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/", "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection", "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", "https://embee-research.ghost.io/unpacking-malware-using-process-hacker-and-memory-inspection/", "https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/", "https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/", "https://www.linkedin.com/feed/update/urn:li:activity:7252248385007603713/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", "https://embee-research.ghost.io/shodan-censys-queries/", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", "https://twitter.com/ESETresearch/status/1449132020613922828", "https://blog.cyber5w.com/analyzing-macro-enabled-office-documents", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign", "https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html", "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html", "https://twitter.com/vxunderground/status/1519632014361640960", "https://axmahr.github.io/posts/asyncrat-detection/", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware", "https://embeeresearch.io/shodan-censys-queries/", "https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat", "https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#", "https://blog.netlab.360.com/purecrypter", "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://aidenmitchell.ca/asyncrat-via-vbs/", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://twitter.com/MsftSecIntel/status/1392219299696152578", "https://community.riskiq.com/article/24759ad2", "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia", "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", "https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/", "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", "https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://medium.com/@hcksyd/asyncrat-analysing-the-three-stages-of-execution-378b343216bf", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.linkedin.com/feed/update/urn:li:activity:7137086303329783808/", "https://github.com/jeFF0Falltrades/rat_king_parser", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html", "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", "https://embeeresearch.io/unpacking-net-malware-with-process-hacker/", "https://www.esentire.com/blog/asyncrat-activity", "https://assets.virustotal.com/reports/2021trends.pdf", "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/", "https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies", "https://www.secureworks.com/research/darktortilla-malware-analysis", "https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://eln0ty.github.io/malware%20analysis/asyncRAT/", "https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html", "https://dfir.ch/posts/asyncrat_quasarrat/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper", "https://embeeresearch.io/unpacking-malware-using-process-hacker-and-memory-inspection/", "https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique", "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno", "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://community.riskiq.com/article/3929ede0/description" ], "synonyms": [], "type": [] }, "uuid": "c94c4f23-20d1-4858-8f94-01a54b213981", "value": "AsyncRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atharvan", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research" ], "synonyms": [], "type": [] }, "uuid": "b1ff6117-7dd2-4328-bde8-00d74584fc98", "value": "Atharvan" }, { "description": "Part of the Mythic framework, payload in C# (.NET 6), support HTTP, Websockets, Slack, SMB for C2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.athena", "https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/" ], "synonyms": [], "type": [] }, "uuid": "69bcd272-e69e-4548-bb8e-05eedcc3f13e", "value": "Athena" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago" ], "synonyms": [], "type": [] }, "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", "value": "AthenaGo RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [], "type": [] }, "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", "value": "ATI-Agent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlantida", "https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/", "https://research.checkpoint.com/2024/stargazers-ghost-network/" ], "synonyms": [], "type": [] }, "uuid": "4c7d243d-ffbe-4fc4-afe3-0961ba99e2b0", "value": "Atlantida" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlas_agent", "https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/" ], "synonyms": [], "type": [] }, "uuid": "2fa8f479-63c3-4f91-954a-f30a50d2ad6e", "value": "AtlasAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" ], "synonyms": [], "type": [] }, "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", "value": "ATMii" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/" ], "synonyms": [], "type": [] }, "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", "value": "ATMitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", "https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", "value": "Atmosphere" }, { "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf", "https://www.secureworks.com/research/threat-profiles/gold-kingswood" ], "synonyms": [], "type": [] }, "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", "value": "ATMSpitter" }, { "description": "According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the \".ATOMSILO\" to its filename. It renames \"1.jpg\" to \"1.jpg.ATOMSILO\", \"2.jpg\" to \"2.jpg.ATOMSILO\", and so on. As its ransom note, AtomSilo creates the \"README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta\" file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion", "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/", "https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://twitter.com/siri_urz/status/1437664046556274694?s=20", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/" ], "synonyms": [], "type": [] }, "uuid": "f47633fb-2c2b-46c3-a1e6-2204d56897b8", "value": "ATOMSILO" }, { "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor", "https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf", "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform", "https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/", "https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html" ], "synonyms": [], "type": [] }, "uuid": "f5f61bc0-aad2-4da3-83db-703ea516c03b", "value": "Attor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene", "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html" ], "synonyms": [], "type": [] }, "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", "value": "August Stealer" }, { "description": "According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/" ], "synonyms": [ "SophosKill" ], "type": [] }, "uuid": "07bd266b-811a-4abe-83b3-471918d6fab4", "value": "AuKill" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "Riodrv" ], "type": [] }, "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", "value": "Auriga" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://blog.morphisec.com/in2al5d-p3in4er", "https://twitter.com/malwrhunterteam/status/1001461507513880576" ], "synonyms": [ "OneKeyLocker" ], "type": [] }, "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", "value": "Aurora" }, { "description": "First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer", "https://research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/", "https://d01a.github.io/aurora-stealer-builder/", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://isc.sans.edu/diary/rss/29448", "https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html", "https://d01a.github.io/aurora-stealer/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer", "https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/", "https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219" ], "synonyms": [], "type": [] }, "uuid": "ac697773-7239-4f01-b4b3-7da8b2a64bdf", "value": "Aurora Stealer" }, { "description": "Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/", "https://www.tgsoft.it/files/report/download.asp?id=568531345", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.connectwise.com/resources/avaddon-profile", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/", "https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis", "https://arxiv.org/pdf/2102.04796.pdf", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf", "https://www.swascan.com/it/avaddon-ransomware/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire", "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/", "https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/", "https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://twitter.com/dk_samper/status/1348560784285167617", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/", "https://twitter.com/Securityinbits/status/1271065316903120902" ], "synonyms": [], "type": [] }, "uuid": "8f648193-68ca-40c2-98b2-e5481487463e", "value": "Avaddon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" ], "synonyms": [], "type": [] }, "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", "value": "AvastDisabler" }, { "description": "Bleeping Computer notes about discovery of AVCrypt, a malware that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may be a wiper.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", "https://twitter.com/malwrhunterteam/status/976925447043846145", "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" ], "synonyms": [], "type": [] }, "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", "value": "AVCrypt" }, { "description": "Cyble Research discovered this .Net written malware dubbed \"AvD Crypto Stealer\". The name of this malware is misleading, because this is a kind of clipper malware. Assumption of Cyble is, that this malware could target other threat actors as scenario.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avd", "https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/" ], "synonyms": [], "type": [] }, "uuid": "de92fff8-337e-4cf8-853b-f13f08ffc24d", "value": "AvD Crypto Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" ], "synonyms": [], "type": [] }, "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", "value": "Aveo" }, { "description": "Information stealer which uses AutoIT for wrapping.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/", "https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", "https://reaqta.com/2019/04/ave_maria-malware-part1/", "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1", "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.youtube.com/watch?v=81fdvmGmRvM", "https://muha2xmad.github.io/malware-analysis/warzonerat/", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", "https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf", "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery", "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.bleepingcomputer.com/news/security/fbi-seizes-warzone-rat-infrastructure-arrests-malware-vendor/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://blog.morphisec.com/syk-crypter-discord", "https://www.youtube.com/watch?v=T0tdj1WDioM", "https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://blog.yoroi.company/research/the-ave_maria-malware/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", "https://blog.talosintelligence.com/attributing-yorotrooper/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", "https://www.youtube.com/watch?v=-G82xh9m4hc", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://blog.cyber5w.com/analyzing-macro-enabled-office-documents", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", "https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/", "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", "https://www.europol.europa.eu/media-press/newsroom/news/international-cybercrime-malware-service-targeting-thousands-of-unsuspecting-consumers-dismantled", "https://asec.ahnlab.com/en/36629/", "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/warzonerat/warzonerat_config_extraction.ipynb" ], "synonyms": [ "AVE_MARIA", "AveMariaRAT", "Warzone RAT", "WarzoneRAT", "avemaria" ], "type": [] }, "uuid": "6bae792a-c2d0-42eb-b9e0-6ef1d83f9b25", "value": "Ave Maria" }, { "description": "AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.\r\n\r\nIn March 2022, the FBI and US Treasury Department issued a warning about the attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker", "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/", "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux", "https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.ic3.gov/Media/News/2022/220318.pdf", "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/", "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group" ], "synonyms": [], "type": [] }, "uuid": "8cee7a73-df5f-4ca3-ac52-b8a29a9b7414", "value": "AvosLocker" }, { "description": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon" ], "synonyms": [], "type": [] }, "uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65", "value": "Unidentified 061 (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" ], "synonyms": [], "type": [] }, "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", "value": "Avzhan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.axlocker", "https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "017ea8db-6eb4-4df1-bac0-da908d2aea9f", "value": "AXLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" ], "synonyms": [], "type": [] }, "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", "value": "Ayegent" }, { "description": "Keylogger.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke", "https://snort.org/rule_docs/1-34217", "https://www.youtube.com/watch?v=FttiysUZmDw" ], "synonyms": [], "type": [] }, "uuid": "91524400-097c-4584-9168-05b317d57b63", "value": "Aytoke" }, { "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/", "https://community.riskiq.com/article/56e28880", "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", "https://unit42.paloaltonetworks.com/cybersquatting/", "https://isc.sans.edu/diary/25120", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://twitter.com/DrStache_/status/1227662001247268864", "https://ke-la.com/information-stealers-a-new-landscape/", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf", "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", "https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://asec.ahnlab.com/en/26517/", "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/", "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html", "https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://securelist.com/azorult-analysis-history/89922/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/", "https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/", "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://any.run/cybersecurity-blog/azorult-malware-analysis/", "https://community.riskiq.com/article/2a36a7d2/description", "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://fr3d.hk/blog/gazorp-thieving-from-thieves", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html" ], "synonyms": [ "PuffStealer", "Rultazo" ], "type": [] }, "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", "value": "Azorult" }, { "description": "According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper", "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/", "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", "https://twitter.com/_CPResearch_/status/1587837524604465153" ], "synonyms": [], "type": [] }, "uuid": "db8dee2a-938e-46af-b2e3-ef5d6e626da7", "value": "Azov Wiper" }, { "description": "According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers’ analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda", "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities" ], "synonyms": [], "type": [] }, "uuid": "fcb369e1-0783-4188-8841-936c6976035f", "value": "Babadeda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", "http://www.spiegel.de/media/media-35683.pdf", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" ], "synonyms": [ "SNOWBALL" ], "type": [] }, "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, { "description": "Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk", "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", "https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/", "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf", "https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/", "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", "https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/", "https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/", "https://securelist.com/ransomware-world-in-2021/102169/", "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62", "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", "https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt", "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://blog.morphisec.com/babuk-ransomware-variant-major-attack", "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", "https://twitter.com/GossiTheDog/status/1409117153182224386", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://twitter.com/Sebdraven/status/1346377590525845504", "https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/", "https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/", "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://github.com/EmissarySpider/ransomware-descendants", "https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", "https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/", "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", "https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf", "https://resources.prodaft.com/wazawaka-report", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/", "https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/", "https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" ], "synonyms": [ "Babyk", "Vasa Locker" ], "type": [] }, "uuid": "3e243686-a0a0-4aff-b149-786cc3f99a84", "value": "Babuk (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat", "https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/", "https://twitter.com/KorbenD_Intel/status/1110654679980085262" ], "synonyms": [], "type": [] }, "uuid": "1a196c09-f7cd-4a6e-bc3c-2489121b5381", "value": "BabyLon RAT" }, { "description": "BABYMETAL is a command line network tunnel utility based on the TinyMet Meterpreter tool, primarily used to execute Meterpreter reverse shell payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000", "https://www.mandiant.com/resources/evolution-of-fin7" ], "synonyms": [], "type": [] }, "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, { "description": "BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood", "https://www.youtube.com/watch?v=Dv2_DK3tRgI", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://twitter.com/i/web/status/1099147896950185985", "https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark", "https://blog.alyac.co.kr/3352", "https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/", "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1" ], "synonyms": [ "LATEOP" ], "type": [] }, "uuid": "8abdd40c-d79a-4353-80e3-29f8a4229a37", "value": "BabyShark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bachosens", "https://medium.com/threat-intel/cybercrime-investigation-insights-bachosens-e1d6312f6b3a" ], "synonyms": [], "type": [] }, "uuid": "c5b3d358-62f8-46fe-85dc-44b565052f94", "value": "Bachosens" }, { "description": "FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "934da8b2-f66e-4056-911e-1da09216e8b8", "value": "BACKBEND" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig", "https://unit42.paloaltonetworks.com/atoms/thirstygemini/", "https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/" ], "synonyms": [], "type": [] }, "uuid": "b3c517cf-6704-43b0-a6da-fed94c9b537a", "value": "BackConfig" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet", "https://github.com/valsov/BackNet" ], "synonyms": [], "type": [] }, "uuid": "e2840cc1-c43d-4542-9818-a3c15a0f9f7a", "value": "BackNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff", "https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/" ], "synonyms": [], "type": [] }, "uuid": "70f68c8c-4dc5-4bb0-9f4d-a7484561574b", "value": "Backoff POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", "https://www.secureworks.com/research/threat-profiles/bronze-geneva", "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" ], "synonyms": [ "Lecna", "ZRLnk" ], "type": [] }, "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", "value": "backspace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", "https://www.cert.pl/en/news/single/backswap-malware-analysis/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://research.checkpoint.com/the-evolution-of-backswap/", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi" ], "synonyms": [], "type": [] }, "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", "value": "BackSwap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a" ], "synonyms": [], "type": [] }, "uuid": "9ddf546b-487f-44e4-b0dd-07e9997c86c6", "value": "BADCALL (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", "https://twitter.com/PhysicalDrive0/status/833067081981710336" ], "synonyms": [], "type": [] }, "uuid": "af1c99be-e55a-473e-abed-726191e1da05", "value": "BadEncript" }, { "description": "BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", "https://blog.amossys.fr/badflick-is-not-so-bad.html", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [], "type": [] }, "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", "value": "badflick" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch", "https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/", "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" ], "synonyms": [], "type": [] }, "uuid": "8e8880bf-d016-4759-a138-2fdb4e54f9ab", "value": "BADHATCH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait", "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", "https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", "value": "BadNews" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle", "https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf" ], "synonyms": [], "type": [] }, "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", "value": "Bagle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ], "synonyms": [], "type": [] }, "uuid": "b420eb9f-d526-473c-95ab-5ab380bbec72", "value": "Bahamut (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr", "https://www.youtube.com/watch?v=E2V4kB_gtcQ", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf", "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/", "https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/" ], "synonyms": [ "Baldir" ], "type": [] }, "uuid": "7024893a-96fe-4de4-bb04-c1d4794a4c95", "value": "Baldr" }, { "description": "According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door", "https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/" ], "synonyms": [], "type": [] }, "uuid": "22d61347-4d89-41e7-89dc-95b1f370522d", "value": "BalkanDoor" }, { "description": "The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250). ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat", "https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/" ], "synonyms": [], "type": [] }, "uuid": "d7b40333-a2ce-423d-9052-51b09bf18bb3", "value": "BalkanRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf", "https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/" ], "synonyms": [], "type": [] }, "uuid": "f355f41b-a6b2-48b7-9c5c-da99a41cb1ad", "value": "Bamital" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" ], "synonyms": [], "type": [] }, "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", "value": "Banatrix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos", "https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil" ], "synonyms": [], "type": [] }, "uuid": "a2ee2f24-ead8-4415-b777-7190478a620c", "value": "bancos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandit", "https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html", "https://research.openanalysis.net/garble/go/obfuscation/strings/2023/08/03/garble.html", "https://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html", "https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure", "https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware" ], "synonyms": [], "type": [] }, "uuid": "53ef2273-0e62-4ad3-bcbc-d2cd72fc6108", "value": "Bandit Stealer" }, { "description": "Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook", "https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/", "https://research.checkpoint.com/2020/bandook-signed-delivered", "https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america", "https://www.eff.org/files/2018/01/29/operation-manul.pdf", "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook", "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot", "https://research.checkpoint.com/2020/bandook-signed-delivered/", "https://twitter.com/malwrhunterteam/status/796425285197561856", "https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Bandok" ], "type": [] }, "uuid": "3144e23d-6e3e-47e6-8f0e-a47be25d1041", "value": "Bandook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" ], "synonyms": [], "type": [] }, "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", "value": "bangat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", "http://blog.kleissner.org/?p=69", "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/", "http://osint.bambenekconsulting.com/feeds/", "http://blog.kleissner.org/?p=192" ], "synonyms": [ "BackPatcher", "BankPatch", "MultiBanker 2" ], "type": [] }, "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", "value": "Banjori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://malverse.it/analisi-bankshot-copperhedge", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "https://securelist.com/it-threat-evolution-q2-2023/110355/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://blog.reversinglabs.com/blog/hidden-cobra", "https://us-cert.cisa.gov/ncas/alerts/aa22-108a", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-108a" ], "synonyms": [ "COPPERHEDGE", "FoggyBrass" ], "type": [] }, "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", "value": "Bankshot" }, { "description": "BanPolMex is a remote access trojan that uses TCP for communication.\r\n\r\nIt uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.\r\n\r\nIt supports almost 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.\r\n\r\nIt has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).\r\n\r\nBanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" ], "synonyms": [], "type": [] }, "uuid": "95d699dc-d19e-47a7-9d38-fef5008ce891", "value": "BanPolMex RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.barbie", "https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" ], "synonyms": [], "type": [] }, "uuid": "dbf9d453-cf02-4861-ab90-f65bb77d5971", "value": "Barb(ie) Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.barbwire", "https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/", "https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" ], "synonyms": [], "type": [] }, "uuid": "7e68e486-08a8-4d09-997f-2b844cf86fc2", "value": "BarbWire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.barkiofork", "https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry" ], "synonyms": [], "type": [] }, "uuid": "d2cdaceb-7810-4c80-9a69-0a6f27832725", "value": "barkiofork" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] }, "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", "value": "Bart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs" ], "synonyms": [], "type": [] }, "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", "value": "BatchWiper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", "value": "Batel" }, { "description": "According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bat_loader", "https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs", "https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html", "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://www.mandiant.com/resources/seo-poisoning-batloader-atera", "https://intel471.com/blog/malvertising-surges-to-distribute-malware", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", "https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a", "https://www.esentire.com/blog/batloader-continues-signed-msix-app-package-abuse" ], "synonyms": [], "type": [] }, "uuid": "ce6fe6c6-a74a-4cf7-adf8-41b5433bcbb6", "value": "BATLOADER" }, { "description": "BazarBackdoor is a small backdoor, probably by a TrickBot \"spin-off\" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).\r\n\r\nFor now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor", "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://isc.sans.edu/diary/27308", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", "https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html", "https://fr3d.hk/blog/campo-loader-simple-but-effective", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/", "https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", "https://intel471.com/blog/conti-leaks-ransomware-development", "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://experience.mandiant.com/trending-evil/p/1", "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://twitter.com/Unit42_Intel/status/1458113934024757256", "https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/", "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", "https://twitter.com/anthomsec/status/1321865315513520128", "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/", "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", "https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.youtube.com/watch?v=pIXl79IPkLI", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor", "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", "https://forensicitguy.github.io/bazariso-analysis-advpack/", "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://johannesbader.ch/blog/yet-another-bazarloader-dga/", "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors", "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9", "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/", "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", "https://abnormalsecurity.com/blog/bazarloader-contact-form", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://malwarebookreports.com/a-look-back-at-bazarloaders-dga/", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/", "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/", "https://malwarebookreports.com/bazarloader-back-from-holiday-break/", "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader", "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html", "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://unit42.paloaltonetworks.com/bazarloader-malware/", "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://www.youtube.com/watch?v=uAkeXCYcl4Y", "https://www.scythe.io/library/threatthursday-ryuk" ], "synonyms": [ "BEERBOT", "KEGTAP", "Team9Backdoor", "bazaloader", "bazarloader" ], "type": [] }, "uuid": "3b1a6ba7-9617-4413-a4ad-66f5d9870bb7", "value": "BazarBackdoor" }, { "description": "A rewrite of Bazarloader in the Nim programming language.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://twitter.com/James_inthe_box/status/1357009652857196546", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques" ], "synonyms": [ "NimzaLoader" ], "type": [] }, "uuid": "1735a331-9ca9-49b6-a5aa-0ddac9db8de6", "value": "BazarNimrod" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", "https://www.youtube.com/watch?v=uakw2HMGZ-I", "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae" ], "synonyms": [], "type": [] }, "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, { "description": "360 Security Center describes BBtok as a banking trojan targeting Mexico.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbtok", "https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/", "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/", "https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader" ], "synonyms": [], "type": [] }, "uuid": "0b114f49-8c4d-425d-8426-a0c4ab145f36", "value": "BBtok" }, { "description": "According to Symantec, Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy", "https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china" ], "synonyms": [], "type": [] }, "uuid": "404e8121-bced-4320-a984-2b490fad90f8", "value": "Beapy" }, { "description": "According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop", "https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/" ], "synonyms": [], "type": [] }, "uuid": "d2fd10ba-5904-4679-8758-509b72b1aa2c", "value": "BEATDROP" }, { "description": "Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep", "https://malware.dontneedcoffee.com/2016/04/bedepantiVM.html", "http://malware-traffic-analysis.net/2016/05/09/index.html", "https://blog.talosintelligence.com/bedep-actor/", "https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/", "https://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit", "https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/index.html" ], "synonyms": [], "type": [] }, "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", "value": "Bedep" }, { "description": "Malware family observed in conjunction with PlugX infrastructure in 2013.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bee", "https://www.virustotal.com/gui/file/38f9ce7243c7851d67b24eb53b16177147f38dfffe201c5bedefe260d22ac908/detection" ], "synonyms": [], "type": [] }, "uuid": "2d4aacb7-392a-46fd-b93d-33fcdaeb348f", "value": "Bee" }, { "description": "BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim's desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", "value": "beendoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "1732faab-2cf9-4d79-a085-6331da008047", "value": "BeepService" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bellaciao", "https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/" ], "synonyms": [], "type": [] }, "uuid": "4677e4e1-a5aa-405b-9140-523282740d3f", "value": "BellaCiao" }, { "description": "Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard", "https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0" ], "synonyms": [], "type": [] }, "uuid": "40c48c99-7d33-4f35-92f1-937c3686afa7", "value": "Belonard" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.berbew", "https://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/" ], "synonyms": [], "type": [] }, "uuid": "8572e47c-292d-452a-b124-4e3932113c11", "value": "Berbew" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.berbomthum", "https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/" ], "synonyms": [], "type": [] }, "uuid": "6944cbe7-db95-422d-8751-98c9fc4f0b12", "value": "Berbomthum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", "https://securitykitten.github.io/2015/07/14/bernhardpos.html", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-07-14-bernhardpos.md" ], "synonyms": [], "type": [] }, "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", "value": "BernhardPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bestkorea", "https://github.com/Jacquais/BestKorea" ], "synonyms": [], "type": [] }, "uuid": "33308a2c-b1ef-4cbb-9240-25cb6dce55a9", "value": "BestKorea" }, { "description": "Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", "https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/", "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "http://www.xylibox.com/2015/04/betabot-retrospective.html", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" ], "synonyms": [ "Neurevt" ], "type": [] }, "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", "value": "BetaBot" }, { "description": "Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files. \r\n\r\nThe Trojan may perform the following actions: \r\nList, move, and delete drives\r\nList, move, and delete files\r\nList processes and running Windows titles\r\nList services\r\nList registry values\r\nKill processes\r\nMaximize, minimize, and close windows\r\nUpload and download files\r\nExecute shell commands\r\nUninstall itself", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "29f45180-cb57-4655-8812-eb814c2a0b0e", "value": "Bezigate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" ], "synonyms": [], "type": [] }, "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", "value": "BfBot" }, { "description": "BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt", "https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf", "https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/", "https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger" ], "synonyms": [], "type": [] }, "uuid": "ae3fe9fa-0717-413e-94fe-6e7b607e45c6", "value": "BHunt" }, { "description": "BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian", "https://twitter.com/malwrhunterteam/status/1558548947584548865", "https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye", "https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/", "https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/", "https://www.youtube.com/live/O2Wx7mQHR2I?si=uydJupvHK6sxxw3n", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/", "https://embee-research.ghost.io/building-advanced-censys-queries-utilising-regex-bianlian/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/" ], "synonyms": [], "type": [] }, "uuid": "fcc016ad-41a0-4bda-ad88-9542b5f560d9", "value": "BianLian (Windows)" }, { "description": "Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware", "http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/", "http://zirconic.net/2018/07/bi_d-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "9f80bebb-dc5d-4cc1-b2dc-16bca1bbfaad", "value": "BI_D Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bifrose", "https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html" ], "synonyms": [], "type": [] }, "uuid": "47e654af-8b94-4b97-a2ea-6a28c1bc8099", "value": "bifrose" }, { "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", "https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html", "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server", "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/", "https://habrahabr.ru/post/213973/", "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf" ], "synonyms": [], "type": [] }, "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", "value": "BillGates" }, { "description": "Binanen is a dropper that drops and executes a section of itself into a hidden dummy process. According to F-Secure, it executes command line tools such as (for example) asipconfig, which is useful to retrieve the network configuration. The malware aims to steal information about the machine, the username, installed software and, more generally speaking, it potentially can carry out actions on the compromised machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.binanen", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Binanen-B/detailed-analysis.aspx" ], "synonyms": [], "type": [] }, "uuid": "a76a35e4-6ef7-45ad-9656-98584835d910", "value": "Binanen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata", "https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/" ], "synonyms": [], "type": [] }, "uuid": "96bcaa83-998b-4fb2-a4e7-a2d33c6427d7", "value": "BioData" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bioload", "https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html" ], "synonyms": [], "type": [] }, "uuid": "04803315-fc17-44d0-839e-534b9da4c7fc", "value": "bioload" }, { "description": "BIOPASS RAT is a malware family which targets online gambling companies in China by leveraging a watering hole attack. This Remote Access Trojan (RAT) is unique in that it leverages the Open Broadcaster Software (OBS) framework to monitor the user's screen.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biopass", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html" ], "synonyms": [], "type": [] }, "uuid": "f3cdfef4-7976-42f9-8b5e-a67d4a62b5c1", "value": "BIOPASS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "zxdosml" ], "type": [] }, "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", "value": "Biscuit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath", "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a", "https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/" ], "synonyms": [], "type": [] }, "uuid": "fa8b2a91-ec55-41cc-b5f6-3d233cc3cc65", "value": "BISTROMATH" }, { "description": "Bitpylock is a ransomware that encrypts files by using asymmetric keys and puts '.bitpy' as suffix once the encryption phase ended. The ransom note appears on the affected user's Desktop with the following name: \"# # HELP_TO_DECRYPT_YOUR_FILES # .html\". At the time of writing the ransom request is 0.8 BTC and the communication email is: helpbitpy@cock.li.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock", "https://twitter.com/malwrhunterteam/status/1215252402988822529", "https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/", "https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview" ], "synonyms": [], "type": [] }, "uuid": "da5adcc1-9adc-4e86-9034-08aafecc14c1", "value": "BitPyLock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsloth", "https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth" ], "synonyms": [], "type": [] }, "uuid": "5297e3aa-6fe8-469c-8890-9c4ecff2a57f", "value": "BITSloth" }, { "description": "SHADYCAT is a dropper and spreader component for the HERMES 2.1 RANSOMWARE radical edition.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf", "https://content.fireeye.com/apt/rpt-apt38", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" ], "synonyms": [ "SHADYCAT" ], "type": [] }, "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", "value": "Bitsran" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/", "https://blog.strikeready.com/blog/dont-get-bitter-about-being-targeted--fight-back-with-the-help-of-the-community./" ], "synonyms": [], "type": [] }, "uuid": "265f96d1-fdd4-4dec-b7ca-51ae6f726634", "value": "Bitter RAT" }, { "description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat", "https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/", "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://www.youtube.com/watch?v=CYm3g4zkQdw", "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/", "https://community.riskiq.com/article/ade260c6", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", "https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://asec.ahnlab.com/en/32781/", "https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/", "https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/", "https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/", "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md", "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/" ], "synonyms": [], "type": [] }, "uuid": "8c4363f4-4f38-4a5a-bc87-16f0721bd03b", "value": "BitRAT" }, { "description": "Kaspersky Labs characterizes Bizarro as yet another banking Trojan family originating from Brazil that is now found in other regions of the world. They have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bizarro", "https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/" ], "synonyms": [], "type": [] }, "uuid": "00fb2087-7e08-4649-ac93-9547deda7aca", "value": "Bizzaro" }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", "https://www.evild3ad.com/405/bka-trojaner-ransomware/" ], "synonyms": [ "bwin3_bka" ], "type": [] }, "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", "value": "BKA Trojaner" }, { "description": "\"Black Basta\" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview", "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware", "https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/", "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://gbhackers.com/black-basta-ransomware/", "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://www.youtube.com/watch?v=iD_KZAqNDZ0", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/", "https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/", "https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html", "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta", "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/", "https://securelist.com/luna-black-basta-ransomware/106950", "https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware", "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla", "https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://www.zscaler.com/blogs/security-research/back-black-basta" ], "synonyms": [ "no_name_software" ], "type": [] }, "uuid": "ada47367-7e69-4122-b5c1-4e5aeb54f922", "value": "Black Basta (Windows)" }, { "description": "Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/", "https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace", "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants", "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", "https://www.ic3.gov/Media/News/2022/220211.pdf", "https://redcanary.com/blog/blackbyte-ransomware/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/", "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", "https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", "https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/", "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure", "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://twitter.com/splinter_code/status/1628057204954652674" ], "synonyms": [], "type": [] }, "uuid": "c7732221-fbb3-4469-a1c6-260a825b290a", "value": "BlackByte" }, { "description": "ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.\r\n\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat", "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/", "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", "https://killingthebear.jorgetesta.tech/actors/alphv", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://unit42.paloaltonetworks.com/blackcat-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", "https://www.intrinsec.com/alphv-ransomware-gang-analysis", "https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/", "https://www.infinitumit.com.tr/en/black-cat-alphv-ransomware-group/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html", "https://www.varonis.com/blog/alphv-blackcat-ransomware", "https://x.com/vxunderground/status/1731138180672344095?t=reBMQQFFMGQ_zkV8KmL_LA&s=01", "https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up", "https://blog.group-ib.com/blackcat", "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", "https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3", "https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware", "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/", "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://www.trellix.com/about/newsroom/stories/research/scattered-spider-the-modus-operandi/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware", "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", "https://github.com/f0wl/blackCatConf", "https://www.ic3.gov/Media/News/2022/220420.pdf", "https://community.riskiq.com/article/47766fbd", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/", "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", "https://securelist.com/a-bad-luck-blackcat/106254/", "https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", "https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html", "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack", "http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf", "https://www.theregister.com/2023/11/16/blackcat_ransomware_luring_corporate_targets/", "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/" ], "synonyms": [ "ALPHV", "Noberus" ], "type": [] }, "uuid": "44109c47-f4ab-41c0-8d18-b93e7dcd8e42", "value": "BlackCat (Windows)" }, { "description": "a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://attack.mitre.org/groups/G0025/", "https://attack.mitre.org/groups/G0096", "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://attack.mitre.org/groups/G0001/", "https://www.youtube.com/watch?v=NFJqD-LcpIg", "https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/", "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf", "https://attack.mitre.org/software/S0069/", "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" ], "synonyms": [ "PNGRAT", "ZoxPNG", "gresim" ], "type": [] }, "uuid": "ff660bf2-a9e4-4973-be0c-9f6618e40899", "value": "BLACKCOFFEE" }, { "description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo “remote desktop”\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://www.secureworks.com/research/blackenergy2", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://attack.mitre.org/groups/G0034", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://securelist.com/black-ddos/36309/", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf", "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "value": "BlackEnergy" }, { "description": "According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard", "https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html", "https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer", "https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5", "https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm", "https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4", "https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking", "https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/", "https://www.youtube.com/watch?v=Fd8WjxzY2_g", "https://cyberint.com/blog/research/blackguard-stealer/", "https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/", "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", "https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/", "https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data", "https://ke-la.com/information-stealers-a-new-landscape/" ], "synonyms": [], "type": [] }, "uuid": "86048398-cfc2-4d6c-a49f-9114e2966b61", "value": "BlackGuard" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware", "https://news.sophos.com/en-us/2021/03/23/black-kingdom/", "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://securelist.com/black-kingdom-ransomware/102873/", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "246b6563-edd8-49c7-9d3c-97dc1aec6b81", "value": "BlackKingdom Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://kn0s-organization.gitbook.io/blacklotus-analysis-stage2-bootkit-rootkit-stage/", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html", "https://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html", "https://mssplab.github.io/threat-hunting/2023/07/15/malware-src-blacklotus.html" ], "synonyms": [], "type": [] }, "uuid": "6d542c85-cf94-466f-97a2-eac3c50fbea2", "value": "BlackLotus" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmagic", "https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "80735865-325c-4829-a6df-22e5d84735e6", "value": "BlackMagic" }, { "description": "According to PCrisk, BlackMatter is a piece of malicious software categorized as ransomware. It operates by encrypting data for the purpose of making ransom demands for the decryption tools. In other words, files affected by BlackMatter are rendered inaccessible, and victims are asked to pay - to recover access to their data.\r\n\r\nDuring the encryption process, files are appended with an extension consisting of a random character string. For example, a file initially named \"1.jpg\" would appear as something similar to \"1.jpg.k5RO9fVOl\". After this process is complete, the ransomware changes the desktop wallpaper and created a ransom note - \"[random_string].README.txt\" (e.g., k5RO9fVOl.README.txt).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter", "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/", "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.mandiant.com/resources/cryptography-blackmatter-ransomware", "https://blog.group-ib.com/blackmatter2", "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up", "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", "https://www.glimps.fr/lockbit3-0/", "https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.varonis.com/blog/blackmatter-ransomware/", "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://blog.minerva-labs.com/blackmatter", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/", "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter", "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf", "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", "https://twitter.com/GelosSnake/status/1451465959894667275", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/", "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", "https://www.youtube.com/watch?v=NIiEcOryLpI", "https://blog.group-ib.com/blackmatter#" ], "synonyms": [], "type": [] }, "uuid": "f838f3bb-a36b-49df-8f8c-1bb8cf66b736", "value": "BlackMatter (Windows)" }, { "description": "Advanced and modern Windows botnet with PHP panel developed using VB.NET. It has a lot of functionalities including: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. It is open source and emerged at the end of 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat", "https://github.com/FarisCode511/BlackNET/", "https://labs.k7computing.com/?p=21365", "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/", "https://github.com/BlackHacker511/BlackNET/", "https://github.com/mave12/BlackNET-3.7.0.1", "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html" ], "synonyms": [], "type": [] }, "uuid": "656c4009-cd79-4501-9fc9-7ad2d97b634c", "value": "BlackNET RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknix_rat", "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb" ], "synonyms": [], "type": [] }, "uuid": "845ce966-fb40-4f12-b9c1-8b97263a589e", "value": "BlackNix RAT" }, { "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/" ], "synonyms": [ "Kaptoxa", "MMon", "POSWDS", "Reedum" ], "type": [] }, "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", "value": "BlackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote", "https://asec.ahnlab.com/en/56405/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/", "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" ], "synonyms": [ "BlackRAT" ], "type": [] }, "uuid": "b1302517-d5c9-44bb-833d-4396365915db", "value": "BlackRemote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution" ], "synonyms": [], "type": [] }, "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", "value": "BlackRevolution" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter", "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/", "https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/" ], "synonyms": [ "BLACKHEART" ], "type": [] }, "uuid": "0b235fbf-c191-47c0-ae83-9386a64b1c79", "value": "BlackRouter" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby", "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/", "https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware" ], "synonyms": [], "type": [] }, "uuid": "617d53dd-1143-4146-bbc0-39e975a26fe5", "value": "Blackruby" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga" ], "synonyms": [], "type": [] }, "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", "value": "BlackShades" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksnake", "https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/" ], "synonyms": [], "type": [] }, "uuid": "366fe903-5ab4-47d3-a0e0-8ff45b2b4a8c", "value": "BlackSnake" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksoul", "https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/" ], "synonyms": [], "type": [] }, "uuid": "58701e4d-87aa-45a5-adfd-9b20f50fea91", "value": "BlackSoul" }, { "description": "According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksuit", "https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/", "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/", "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html", "https://www.reliaquest.com/blog/blacksuit-attack-analysis/" ], "synonyms": [], "type": [] }, "uuid": "b73202ea-e636-4e70-91b1-f29c1db4cbb1", "value": "BlackSuit (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackworm_rat", "https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/", "https://github.com/BlackHacker511/BlackWorm", "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html" ], "synonyms": [], "type": [] }, "uuid": "02d2bb6d-9641-406e-9767-58aff2fad6c7", "value": "Blackworm RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bleachgap", "https://labs.k7computing.com/index.php/bleachgap-revamped/" ], "synonyms": [], "type": [] }, "uuid": "cfcdbf20-304e-4ea4-bec1-d84bb78e723f", "value": "BleachGap" }, { "description": "BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).\r\nIt uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. \r\nIt sends information about the victim's environment, like computer name, IP, Windows product name and processor name.\r\nIt supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. \r\nIt uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.\r\nIt contains specific RTTI symbols like \".?AVCHTTP_Protocol@@\", \".?AVCFileRW@@\" or \".?AVCSinSocket@@\".\r\nBLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", "https://www.cisa.gov/news-events/analysis-reports/ar20-232a", "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", "https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/", "https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/", "https://securelist.com/it-threat-evolution-q2-2023/110355/", "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" ], "synonyms": [ "AIRDRY", "ZetaNile" ], "type": [] }, "uuid": "44d22b4e-5ad4-4f05-a421-95607706378d", "value": "BLINDINGCAN" }, { "description": "BLINDTOAD is 64-bit Service DLL that loads an encrypted file from disk and executes it in memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindtoad", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/", "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf", "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [], "type": [] }, "uuid": "b34fd401-9d37-4bc6-908f-448c1697f749", "value": "BLINDTOAD" }, { "description": "Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://redcanary.com/blog/intelligence-insights-january-2022/", "https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/", "https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/", "https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/", "https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", "https://security-labs.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader", "https://elastic.github.io/security-research/malware/2022/05/02.blister/article/", "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", "https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://twitter.com/MsftSecIntel/status/1522690116979855360" ], "synonyms": [ "COLORFAKE" ], "type": [] }, "uuid": "8ffc1f23-c0a6-4186-b06e-11a72c153722", "value": "Blister" }, { "description": "This malware family is the suspected successor to ShadowPad and Deed rat.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bloodalchemy", "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" ], "synonyms": [], "type": [] }, "uuid": "ca547f0c-6cd1-4381-bcf1-143dd0798690", "value": "BloodAlchemy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bloodystealer", "https://twitter.com/3xp0rtblog/status/1380087553676697617", "https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/" ], "synonyms": [], "type": [] }, "uuid": "ecdc0a43-8845-4dc4-a3f0-de2f0142aa4d", "value": "BloodyStealer" }, { "description": "BlueFox is a .NET infostealer sold on forums as a Maware-as-a-Service. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber and loader capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluefox", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/", "https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/" ], "synonyms": [], "type": [] }, "uuid": "f9f5d767-3460-49f3-94c2-5dd91b341505", "value": "BlueFox" }, { "description": "Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluehaze", "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia" ], "synonyms": [], "type": [] }, "uuid": "3dcfef7b-d657-4ac5-b738-ef793237274b", "value": "BLUEHAZE" }, { "description": "Malware family used to deliver follow up payloads, variants using Microsoft Graph API and Google Web Apps have been observed.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluelight", "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" ], "synonyms": [], "type": [] }, "uuid": "9c5ec440-2bb8-4485-9811-f2fb52cf76e5", "value": "BLUELIGHT" }, { "description": "This family contains the BlueNoroff toolkit used for SWIFT manipulation, as used by the Lazarus activity cluster also referred to as BlueNoroff.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluenoroff", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" ], "synonyms": [], "type": [] }, "uuid": "862e9c13-dde6-473e-a816-a7d7043bf73c", "value": "BlueNoroff" }, { "description": "According to AhnLab, BlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and Mac operating systems. Currently, the original Github repository is presumed to have been deleted, but the BlueShell source code can still be obtained from other repositories. It features an explanatory ReadMe file in Chinese, indicating the possibility that the creator is a Chinese user.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "https://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat", "https://asec.ahnlab.com/en/47455/", "https://asec.ahnlab.com/ko/56715/", "https://asec.ahnlab.com/en/56941/" ], "synonyms": [], "type": [] }, "uuid": "91d441a6-4244-43a2-9b96-354a2df63a4e", "value": "BlueShell" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluesky", "https://yoroi.company/research/dissecting-bluesky-ransomware-payload/", "https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/", "https://cloudsek.com/technical-analysis-of-bluesky-ransomware/", "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", "https://unit42.paloaltonetworks.com/bluesky-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "5c19d979-4c22-452f-b4f0-9325a46b7083", "value": "BlueSky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluether", "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf" ], "synonyms": [ "CAPGELD" ], "type": [] }, "uuid": "cf542e2d-531c-4d34-98c8-7e3cb26a32af", "value": "BLUETHER" }, { "description": "Avast describe this malware as a recombination of other malware including SpyEx, ThunderFox, ChromeRecovery, StormKitty, and firepwd.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer", "https://decoded.avast.io/anhho/blustealer/", "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer", "https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/", "https://twitter.com/GoSecure_Inc/status/1437435265350397957" ], "synonyms": [ "a310logger" ], "type": [] }, "uuid": "cb4bfed3-3042-4a29-a72d-c8b5c510faea", "value": "BluStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bmanager", "https://www.group-ib.com/blog/boolka/" ], "synonyms": [], "type": [] }, "uuid": "c26b2dd3-4641-4174-977d-6813f2181a05", "value": "BMANAGER" }, { "description": "FIN7 uses this malware as helper module during intrusion operations. BOATLAUNCH is continuously looking for PowerShell processes on infected systems and patches them to bypuss Windows AntiMalware Scan Interface (AMSI).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch", "https://www.mandiant.com/resources/evolution-of-fin7" ], "synonyms": [], "type": [] }, "uuid": "13e62fe0-af0e-4a44-8437-ed86101f12d4", "value": "BOATLAUNCH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" ], "synonyms": [], "type": [] }, "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", "value": "Boaxxe" }, { "description": "This malware offers remote access capabilities but also has a DDoS module that was used against supporters of Ukraine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bobik", "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/", "https://decoded.avast.io/martinchlumecky/bobik/" ], "synonyms": [], "type": [] }, "uuid": "71a2182f-1010-496d-8c20-7a60639adff1", "value": "Bobik" }, { "description": "According to Trend Micro, this is a ransomware written in Go, targeting Windows and MacOS environments that tries to disguise as LockBit by changing the wallpaper into a LockBit 2 screen. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bocklit", "https://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html" ], "synonyms": [], "type": [] }, "uuid": "a7863070-0dd0-4176-8ab8-4630ef615c0f", "value": "BockLit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" ], "synonyms": [], "type": [] }, "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", "value": "Bohmini" }, { "description": "According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet's SSL-VPN (CVE-2022-42475).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove", "https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html", "https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw" ], "synonyms": [], "type": [] }, "uuid": "4212b386-b6de-4b06-86f1-ba20b5c01447", "value": "BOLDMOVE (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", "https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt", "https://securelist.com/kbot-sometimes-they-come-back/96157/", "http://www.cert.pl/news/11379" ], "synonyms": [ "KBOT" ], "type": [] }, "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", "value": "Bolek" }, { "description": "BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim’s filesystem, basic process management and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646. \r\n\r\nBookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat", "https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2452&attach_file_id=EpF2452.pdf" ], "synonyms": [ "BookCodesTea" ], "type": [] }, "uuid": "433b9a1c-dd2a-4d2b-b469-47b40fc6c196", "value": "BookCodes RAT" }, { "description": "This in .Net written malware is a classic information stealer. It can collect various information and can be depoyed in different configurations: \"The full-featured version of the malware can log keystrokes, collect profile files of Mozilla Firefox and Google Chrome browsers, record sound from the microphone, grab desktop screenshots, capture photo from the webcam, and collect information about the version of the operation system and installed anti-virus software.\" (ESET)\r\nThis malware has been active since at least 2012.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookofeli", "https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/" ], "synonyms": [], "type": [] }, "uuid": "2029a6f7-f98e-4582-bc5b-7ff0188f1af2", "value": "Book of Eli" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookworm", "https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/" ], "synonyms": [], "type": [] }, "uuid": "1b8cfb29-7a63-459a-bc90-c9ea3634b21c", "value": "Bookworm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boombox", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/" ], "synonyms": [], "type": [] }, "uuid": "e8112e1a-4fda-4857-8df8-0ba7fb5ea1ba", "value": "BOOMBOX" }, { "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "a24eb119-d526-4aa4-ab5f-171ccddd4fbc", "value": "BOOSTWRITE" }, { "description": "BOOTWRECK is a master boot record wiper malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/", "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [ "MBRkiller" ], "type": [] }, "uuid": "174b9314-765e-44d0-a761-10d352f4466c", "value": "BOOTWRECK" }, { "description": "The Borat RAT comes bundled with its components (e.g. binary builder, supporting modules, server certificates). According to Cyble this malware is an unique combination of RAT, Spyware, and ransomware.\r\nThe supporting modules are included; a few of the capabilities: Keylogger, Ransomware, Audio/Webcam Recording, Process Hollowing, Browser Credential/Discord Token Stealing, etc.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boratrat", "https://blogs.blackberry.com/en/2022/04/threat-thursday-boratrat", "https://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/", "https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/" ], "synonyms": [], "type": [] }, "uuid": "7ff0b462-c5be-40fa-82da-7efe93722f92", "value": "Borat RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.borr", "https://github.com/onek1lo/Borr-Stealer", "https://telegra.ph/Borr-Malware-02-04", "https://twitter.com/ViriBack/status/1222704498923032576" ], "synonyms": [], "type": [] }, "uuid": "e016e652-8d02-45c4-a268-fe4c588ebd3d", "value": "Borr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bottomloader", "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/" ], "synonyms": [], "type": [] }, "uuid": "450133c9-b40c-4526-a669-5d5cc55276d5", "value": "BottomLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", "value": "Bouncer" }, { "description": "According to Checkpoint Research, this malware family has the ability to download and upload files, run commands and send the attackers the results. It has been observed being used by threat actor IndigoZebra.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boxcaon", "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" ], "synonyms": [], "type": [] }, "uuid": "5ccb9d4c-bb9b-48ee-9ea3-a64a81eb210f", "value": "BoxCaon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" ], "synonyms": [], "type": [] }, "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", "value": "Bozok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brain", "https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/" ], "synonyms": [], "type": [] }, "uuid": "1619ee64-fc54-47c0-8ee1-8b786fefc0fd", "value": "BRAIN" }, { "description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "SORRYBRUTE" ], "type": [] }, "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", "value": "Brambul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "fbed27da-551d-4793-ba7e-128256326909", "value": "BravoNC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md" ], "synonyms": [], "type": [] }, "uuid": "b9a4455a-ad55-4858-9017-bb73a8640045", "value": "BrbBot" }, { "description": "This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" ], "synonyms": [], "type": [] }, "uuid": "52cf2986-89e8-463d-90b6-e4356c9777e7", "value": "BreachRAT" }, { "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" ], "synonyms": [], "type": [] }, "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", "value": "Breakthrough" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/" ], "synonyms": [], "type": [] }, "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brittle_bush", "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage" ], "synonyms": [], "type": [] }, "uuid": "fd4665b8-59b6-427f-a22d-bb3b50e9e176", "value": "BrittleBush" }, { "description": "According to Mandiant, BROKEYOLK is a .NET downloader that downloads and executes a file from a hard-coded command and control (C2) server. The malware communicates via SOAP (Simple Object Access Protocol) requests using HTTP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brokeyolk", "https://www.mandiant.com/media/17826", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "dd19501d-c23e-4a52-8cef-726a8483d6c2", "value": "BROKEYOLK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.broler", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" ], "synonyms": [ "down_new" ], "type": [] }, "uuid": "9a544700-13e3-490f-ae4e-45b3fd159546", "value": "BROLER" }, { "description": "Oyster is a backdoor malware written in C++, first appearing in July 2023. It allows for remote sessions, supporting tasks like file transfer and command-line processing. This malware has been used by numerous threat actors as a tool to support ransomware intrusions. The distribution of Oyster has most likely been spread through various methods, which is suggested by the build identifiers in examined samples. Additionally, Oyster is capable of collecting basic system data and communicates with a command-and-control server (C2). It can execute commands via cmd.exe and run additional files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick", "https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf", "https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm", "https://exchange.xforce.ibmcloud.com/malware-analysis/guid:2f96dded08ec1c2dd039fca21378050c", "https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/", "https://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure", "https://exchange.xforce.ibmcloud.com/malware-analysis/guid:df2b52d89c5c0edfdf7bdaa6f67dd714", "https://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/" ], "synonyms": [ "CLEANBOOST", "CleanUp", "CleanUpLoader", "Oyster" ], "type": [] }, "uuid": "10072fed-e5ef-4c97-9fe8-ca33f1e0b1f6", "value": "Broomstick" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bruh_wiper", "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper" ], "synonyms": [], "type": [] }, "uuid": "33b76b3f-7056-4892-a134-6e984f500c3c", "value": "Bruh Wiper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader", "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/", "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later", "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html" ], "synonyms": [], "type": [] }, "uuid": "75a03c4f-8a97-4fc0-a69e-b2e73e4564fc", "value": "BrushaLoader" }, { "description": "Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.\r\nThis agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://0xdarkvortex.dev/hiding-in-plainsight/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", "https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/", "https://blog.spookysec.net/analyzing-brc4-badgers/", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/", "https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/", "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://twitter.com/MichalKoczwara/status/1652067563545800705", "https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://blog.reveng.ai/latrodectus-distribution-via-brc4/", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://blog.krakz.fr/articles/latrodectus/", "https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html", "https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/", "https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/", "https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/", "https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA", "https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities", "https://www.protect.airbus.com/blog/incident-response-analysis-of-recent-version-of-brc4/", "https://www.youtube.com/watch?v=a7W6rhkpVSM", "https://protectedmo.de/brute.html" ], "synonyms": [ "BOLDBADGER", "BruteRatel" ], "type": [] }, "uuid": "19e4df44-d469-4903-8999-22d650a21dd7", "value": "Brute Ratel C4" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" ], "synonyms": [], "type": [] }, "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", "value": "BrutPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", "value": "BS2005" }, { "description": "According to PCRisk, BTCWare is an updated version of a ransomware-type virus called Crptxxx. This ransomware is distributed via a malicious application called \"Rogers Hi-Speed Internet\". Once infiltrated, BTCWare encrypts files and appends filenames with the \".btcware\" extension. Newer variants of this ransomware append .shadow, .payday, .wyvern, .nuclear, .aleta, .gryphon, .nopasaran, .blocking, .xfile, .master, .onyon, .theva, .cryptobyte or .cryptowin extensions to encrypted files. BTCWare then creates an HTM file (\"#_HOW_TO_FIX_!.hta.htm\"), placing it on the desktop. Other variants of this ransomware use !#_RESTORE_FILES_#!.inf file to store their ransom demanding message.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" ], "synonyms": [], "type": [] }, "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", "value": "BTCWare" }, { "description": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap", "https://attack.mitre.org/software/S0043/", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [], "type": [] }, "uuid": "d114ee6c-cf7d-408a-8077-d59e736f5a66", "value": "BUBBLEWRAP" }, { "description": "Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://twitter.com/StopMalvertisin/status/1182505434231398401", "https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "http://www.secureworks.com/research/threat-profiles/gold-symphony", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader", "https://blog.group-ib.com/prometheus-tds", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blog.minerva-labs.com/stopping-buerloader", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/", "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", "https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", "https://twitter.com/SophosLabs/status/1321844306970251265", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", "https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf", "https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html" ], "synonyms": [ "Buerloader", "RustyBuer" ], "type": [] }, "uuid": "b908173c-c89e-400e-b69d-da411120dae2", "value": "Buer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buffetline", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045f", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/" ], "synonyms": [], "type": [] }, "uuid": "eca37457-cdd4-44c7-ad07-7a4a863e8765", "value": "BUFFETLINE" }, { "description": "According to Elastic, BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bughatch", "https://www.elastic.co/security-labs/bughatch-malware-analysis" ], "synonyms": [], "type": [] }, "uuid": "d05f8cfe-ae3f-4468-9c48-90124b59ccda", "value": "BUGHATCH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugsleep", "https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/", "https://nikhilh-20.github.io/blog/inject_bugsleep/", "https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/" ], "synonyms": [ "MuddyRot" ], "type": [] }, "uuid": "edbe6c15-6ce8-4927-9f74-0504f0711049", "value": "bugsleep" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", "https://www.scythe.io/library/threatthursday-buhtrap", "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code", "https://malware-research.org/carbanak-source-code-leaked/", "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf" ], "synonyms": [ "Ratopak" ], "type": [] }, "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", "value": "Buhtrap" }, { "description": "This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent \"bumblebee\" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee", "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/", "https://www.vmray.com/cyber-security-blog/understanding-bumblebee-the-malware-configuration-and-clusters/", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://www.youtube.com/watch?v=JoKJNfLAc0Y", "https://twitter.com/Intrinsec/status/1709609529070010447", "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", "https://isc.sans.edu/diary/28636", "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", "https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "https://www.youtube.com/watch?v=pIXl79IPkLI", "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", "https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html", "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", "https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader", "https://threathunt.blog/bzz-bzz-bumblebee-loader", "https://isc.sans.edu/diary/rss/28664", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf", "https://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence", "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", "https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://twitter.com/Artilllerie/status/1701250284238823493", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", "https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/", "https://www.vmray.com/cyber-security-blog/understanding-bumblebee-the-malicious-behavior/", "https://blog.cerbero.io/?p=2617", "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/", "https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black", "https://bin.re/blog/the-dga-of-bumblebee/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming", "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads", "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/", "https://www.vmray.com/cyber-security-blog/understanding-bumblebee-loader-the-delivery/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/bumblebee-docusign-campaign", "https://community.riskiq.com/article/0b211905/description", "https://www.botconf.eu/wp-content/uploads/formidable/2/2023_4889_DESOUZA.pdf", "https://blog.krakz.fr/articles/bumblebee/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://isc.sans.edu/diary/rss/28636", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://twitter.com/threatinsight/status/1648330456364883968", "https://twitter.com/ESETresearch/status/1577963080096555008", "https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem", "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", "https://twitter.com/Intrinsec/status/1699779830294970856", "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html" ], "synonyms": [ "COLDTRAIN", "SHELLSTING", "Shindig" ], "type": [] }, "uuid": "fa47d59d-7251-468f-9d84-6e1ba21887db", "value": "BumbleBee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", "https://www.f-secure.com/weblog/archives/00002249.html", "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" ], "synonyms": [ "0zapftis", "R2D2" ], "type": [] }, "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", "value": "Bundestrojaner" }, { "description": "Bundlebot is an info stealer that abuses the single-file dotnet bundle which operates as a self-contained executable that does not require any preinstalled dotnet runtime version. Bundlebot functionality targets a wide variety of data including the victim's system information, browser data, telegram data, discord token, Facebook account information, and screenshots. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundlebot", "https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/" ], "synonyms": [], "type": [] }, "uuid": "d63eb20b-6a3f-4d96-a52d-8395f1868389", "value": "BundleBot" }, { "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", "http://malware-traffic-analysis.net/2017/05/09/index.html", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/", "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/" ], "synonyms": [], "type": [] }, "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", "value": "Bunitu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunnyloader", "https://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service", "https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/" ], "synonyms": [], "type": [] }, "uuid": "051f6280-da83-4a5b-b61c-3425c9018df5", "value": "BunnyLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" ], "synonyms": [ "spyvoltar" ], "type": [] }, "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", "value": "Buterat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A" ], "synonyms": [ "Yimfoca" ], "type": [] }, "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", "value": "Buzus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" ], "synonyms": [], "type": [] }, "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", "value": "BYEBY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" ], "synonyms": [], "type": [] }, "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", "value": "c0d0so0" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" ], "synonyms": [], "type": [] }, "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", "value": "CabArt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cactus", "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape", "https://twitter.com/MsftSecIntel/status/1730383711437283757", "https://www.shadowstackre.com/analysis/cactus" ], "synonyms": [], "type": [] }, "uuid": "2ff26425-93b6-46ad-9c39-28eb9dbc3974", "value": "Cactus" }, { "description": "CaddyWiper is another destructive malware believed to be deployed to target Ukraine.\r\n\r\nCaddyWiper wipes all files under C:\\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.\r\n\r\nIt also wipes disk partitions from \\\\.\\PHYSICALDRIVE9 to \\\\.\\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/", "https://cybersecuritynews.com/destructive-data-wiper-malware/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", "https://twitter.com/silascutler/status/1513870210398363651", "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/", "https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html", "https://cert.gov.ua/article/3718487", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://n0p.me/2022/03/2022-03-26-caddywiper/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/", "https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology", "https://cert.gov.ua/article/39518", "https://twitter.com/HackPatch/status/1503538555611607042", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/", "https://www.nioguard.com/2022/03/analysis-of-caddywiper.html", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper", "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/", "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/", "https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html", "https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions", "https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine", "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", "https://www.mandiant.com/resources/blog/gru-disruptive-playbook", "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", "https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html", "https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/" ], "synonyms": [ "KillDisk.NCX" ], "type": [] }, "uuid": "c6053700-5f3b-48cc-8176-191393522fc3", "value": "CaddyWiper" }, { "description": "CadelSpy is a spyware supposedly used by Iranian threat actors. It has several functions such as logging keystrokes, record audio, capture screenshots and webcam photos, and steal any documents that are sent to a printer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" ], "synonyms": [ "Cadelle" ], "type": [] }, "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", "value": "CadelSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn", "https://www.datanet.co.kr/news/articleView.html?idxno=133346", "https://twitter.com/8th_grey_owl/status/1357550261963689985", "https://www.youtube.com/watch?v=3cUWjojQXWE" ], "synonyms": [], "type": [] }, "uuid": "52c0b49b-d57e-400d-8808-a00d4171ac05", "value": "CALMTHORN" }, { "description": "PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware" ], "synonyms": [ "StormKitty" ], "type": [] }, "uuid": "d3fb548f-64cb-4997-8262-1dca695fbae2", "value": "Cameleon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader", "https://blog.group-ib.com/prometheus-tds", "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/", "https://unit42.paloaltonetworks.com/bazarloader-malware/" ], "synonyms": [], "type": [] }, "uuid": "2bf8ef91-a220-49aa-a7b9-0437d2ee0b15", "value": "campoloader" }, { "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" ], "synonyms": [], "type": [] }, "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", "value": "CamuBot" }, { "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" ], "synonyms": [], "type": [] }, "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", "value": "Cannibal Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html", "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/" ], "synonyms": [], "type": [] }, "uuid": "3fada5b6-0b3d-4b83-97c9-2157c959704c", "value": "Cannon" }, { "description": "MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.\r\n\r\nThe attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://unit42.paloaltonetworks.com/atoms/mulelibra/", "https://www.mandiant.com/resources/evolution-of-fin7", "https://threatintel.blog/OPBlueRaven-Part2/", "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html", "https://threatintel.blog/OPBlueRaven-Part1/", "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest", "https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.mandiant.com/resources/blog/evolution-of-fin7", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout" ], "synonyms": [ "Anunak", "Sekur RAT" ], "type": [] }, "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", "value": "Carbanak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp", "https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.avast.com/2013/04/08/carberp_epitaph/", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf" ], "synonyms": [], "type": [] }, "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", "value": "Carberp" }, { "description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] }, "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, { "description": "CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. CargoBay is likely based on source code taken from 'Black Hat Rust' GitHub project (https://github.com/skerkour/black-hat-rust). CargoBay is usually distributed via phishing emails, and the malware binaries may be disguised as legitimate applications. Upon execution, the malware starts by performing environmental checks such as checking its execution path and the configured system language. If the tests pass, then the malware proceeds to gather basic system information and register with its C2 via HTTP from which it receives JSON-formatted jobs to carry out. CargoBay can execute commands via the command line and downloading additional malware binaries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay", "https://exchange.xforce.ibmcloud.com/malware-analysis/guid:87abff769352d8208e403331c86eb95f" ], "synonyms": [], "type": [] }, "uuid": "cfdc931d-d3da-4b2a-9fef-42592c0f5c5f", "value": "CargoBay" }, { "description": "CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" ], "synonyms": [], "type": [] }, "uuid": "cca82b51-fef9-4f33-a2f5-418b80d0966d", "value": "CARROTBALL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat", "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" ], "synonyms": [], "type": [] }, "uuid": "4ad06a5f-12e6-44ae-9547-98ee62114357", "value": "CarrotBat" }, { "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" ], "synonyms": [], "type": [] }, "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", "value": "Casper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catb", "https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/", "https://www.vmray.com/cyber-security-blog/catb-ransomware-a-new-threat-exploiting-dll-side-loading/", "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf", "https://hitcon.org/2023/CMT/slide/Unmasking%20CamoFei_An%20In-depth%20Analysis%20of%20an%20Emerging%20APT%20Group%20Focused%20on%20Healthcare%20Sectors%20in%20East%20Asia.pdf", "https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/", "https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection/" ], "synonyms": [], "type": [] }, "uuid": "a96445d6-4bbb-4b9a-a761-83759108a403", "value": "CatB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", "value": "Catchamas" }, { "description": "According to CrowdStrike, this backdoor was discovered embedded in the legitimate, signed version of CCleaner 5.33, and thus constitutes a supply chain attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html", "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", "https://blog.avast.com/progress-on-ccleaner-investigation", "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", "https://stmxcsr.com/persistence/print-processor.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://risky.biz/whatiswinnti/", "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", "https://twitter.com/craiu/status/910148928796061696", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [ "DIRTCLEANER" ], "type": [] }, "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", "value": "CCleaner Backdoor" }, { "description": "Mandiant characterizes this malware as a downloader and shellcode stager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ceeloader", "https://www.mandiant.com/resources/blog/russian-targeting-gov-business" ], "synonyms": [], "type": [] }, "uuid": "0333d13e-e01f-46cd-a030-448bbf043c10", "value": "CEELOADER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" ], "synonyms": [ "cerebrus" ], "type": [] }, "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", "value": "CenterPOS" }, { "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.justice.gov/usao-dc/press-release/file/1021186/download", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.youtube.com/watch?v=y8Z9KnL8s8s", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", "https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/", "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/" ], "synonyms": [], "type": [] }, "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", "value": "Cerber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ceta_rat", "https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388" ], "synonyms": [], "type": [] }, "uuid": "12d2d503-def6-4161-bd42-2093ccad49bd", "value": "CetaRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chachi", "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat" ], "synonyms": [], "type": [] }, "uuid": "6a3e6f07-1aaa-4af5-8bd3-96898aca3510", "value": "ChaChi" }, { "description": "This malware made its first appearance during the middle to end of 2020, it specifically targets Brazil and the largest e-commerce company in Latin America, Mercado Livre. It is a multistage malware deployment which uses several legitimate Windows processes and open source tools to remain undetected.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaes", "https://www.morphisec.com/hubfs/Chae$_Chronicles_Chaes4.1.pdf", "https://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers", "https://blog.morphisec.com/chaes-chronicles", "https://decoded.avast.io/anhho/chasing-chaes-kill-chain/", "https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" ], "synonyms": [], "type": [] }, "uuid": "0d4ab3af-189f-49af-b47a-9b25f59f9a12", "value": "Chaes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/" ], "synonyms": [], "type": [] }, "uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6", "value": "Chainshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chairsmack", "https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "f049e626-7de2-4648-81db-53dfd34f2fab", "value": "CHAIRSMACK" }, { "description": "In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a \"Ryuk .Net Ransomware Builder\" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://threatmon.io/chaos-unleashed-a-technical-analysis-of-a-novel-ransomware/", "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree", "https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia", "https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html", "https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/", "https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/", "https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/", "https://twitter.com/vinopaljiri/status/1519645742440329216", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction" ], "synonyms": [ "FakeRyuk", "RyukJoke", "Yashma" ], "type": [] }, "uuid": "fb760029-9331-4ba0-b644-d47a8e6d3ad2", "value": "Chaos (Windows)" }, { "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone", "https://securelist.com/project-tajmahal/90240/", "https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal", "https://securelist.com/apt-trends-report-q2-2019/91897/" ], "synonyms": [ "Taj Mahal" ], "type": [] }, "uuid": "e4027aaa-de86-48ea-8567-c215cdb88ec1", "value": "Chaperone" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chargeweapon", "https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia" ], "synonyms": [], "type": [] }, "uuid": "4eccbebb-9f7d-411f-a8fe-da01c99c8e3b", "value": "ChargeWeapon" }, { "description": "CHCH is a Ransomware spotted in the wild in December 2019. It encrypts victim files and adds the extension .chch to them while it drops a ransomware note named: READ_ME.TXT", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chch", "https://twitter.com/GrujaRS/status/1205566219971125249" ], "synonyms": [], "type": [] }, "uuid": "22b03600-505c-41d4-ba1c-45d70cc2e123", "value": "CHCH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [ "HAYMAKER", "Ham Backdoor" ], "type": [] }, "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", "value": "ChChes" }, { "description": "CHEESETRAY is a sophisticated proxy-aware backdoor that can operate in both active and passive mode depending on the passed command-line parameters. The backdoor is capable of enumerating files and processes, enumerating drivers, enumerating remote desktop sessions, uploading and downloading files, creating and terminating processes, deleting files, creating a reverse shell, acting as a proxy server, and hijacking processes among its other functionality. The backdoor communicates with its C&C server using a custom binary protocol over TCP with port specified as a command-line parameter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045c", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/" ], "synonyms": [ "CROWDEDFLOUNDER" ], "type": [] }, "uuid": "7a6c1063-32b9-4007-8283-ccd4a2163caa", "value": "CHEESETRAY" }, { "description": "Chernolocker is a ransomware that encrypts a victim's files by using AES-256 and it asks for BTC ransom. Different versions are classified by the attacker's email address which changes over time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chernolocker", "https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "e21dc86d-c8a5-44f7-b9d6-5e60373e838b", "value": "Chernolocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherryloader", "https://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/" ], "synonyms": [], "type": [] }, "uuid": "c79c6ad0-3ee9-4fca-be20-084e012ff002", "value": "CherryLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/", "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html" ], "synonyms": [ "cherry_picker", "cherrypicker", "cherrypickerpos" ], "type": [] }, "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", "value": "CherryPicker POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" ], "synonyms": [], "type": [] }, "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", "value": "ChewBacca" }, { "description": "According to PCrisk, Chimera is a ransomware virus that encrypts files stored on infected systems. It is distributed using various false job applications, business offers, and infected email attachments. After encrypting the files, Chimera adds a . crypt extension to each file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chimera", "https://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild" ], "synonyms": [], "type": [] }, "uuid": "830b0526-8e3b-4369-9677-9f8a31ca5ded", "value": "Chimera" }, { "description": "a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1", "https://unit42.paloaltonetworks.com/china-chopper-webshell/", "https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion", "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks", "https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf", "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html", "https://attack.mitre.org/software/S0020/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/", "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", "https://attack.mitre.org/groups/G0125/", "https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a", "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://archive.is/LJFEF", "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers", "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", "https://asec.ahnlab.com/en/47455/", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://attack.mitre.org/groups/G0096", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders", "https://redcanary.com/blog/microsoft-exchange-attacks", "https://www.youtube.com/watch?v=rn-6t7OygGk", "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/", "https://twitter.com/CyberRaiju/status/1373582619707867136", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", "https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/", "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://twitter.com/ESETresearch/status/1366862946488451088", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "https://blog.joshlemon.com.au/hafnium-exchange-attacks/", "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", "https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html" ], "synonyms": [], "type": [] }, "uuid": "0d8f0bb7-e14f-4b85-baa1-6ec951aa6c53", "value": "CHINACHOPPER" }, { "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad", "https://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2", "https://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1" ], "synonyms": [], "type": [] }, "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", "value": "Chinad" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinajm", "https://id-ransomware.blogspot.com/2020/02/chinajm-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "ef216f1d-9ee5-4676-ae34-f954a8611290", "value": "ChinaJm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto", "https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064", "https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/", "https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/" ], "synonyms": [], "type": [] }, "uuid": "fda4561c-56a9-479b-8db5-7f6774be9a3d", "value": "Chinotto (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis", "https://community.riskiq.com/article/5fe2da7f", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", "https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf", "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists", "https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf", "https://community.riskiq.com/article/56fa1b2f" ], "synonyms": [], "type": [] }, "uuid": "f8f5f33b-c719-4b6d-bf98-07979ac0cd97", "value": "Chinoxy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" ], "synonyms": [], "type": [] }, "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", "value": "Chir" }, { "description": "Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor.\r\nGithub: https://github.com/jpillora/chisel", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel", "https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/" ], "synonyms": [], "type": [] }, "uuid": "fbfbbcbc-6730-4c4d-9ece-9b72802d42e9", "value": "Chisel (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client", "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html" ], "synonyms": [], "type": [] }, "uuid": "637714e1-c46d-4c10-bbc5-604c6e47fbbb", "value": "ChiserClient" }, { "description": "Choziosi is a browser hijacker for Chrome. It was first seen in January 2022. It commonly infects users via pirated media downloads like games, software, wallpapers or movies. The initial infectors are available for several platforms such as Mac and Windows.\r\n\r\nIts main component is the Chrome browser extension written in JavaScript with the purpose of serving advertisments and hijacking search requests to Google, Yahoo and Bing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.choziosi", "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension", "https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension", "https://cybergeeks.tech/chromeloader-browser-hijacker", "https://www.connectwise.com/blog/threat-report/smash-jacker", "https://redcanary.com/blog/chromeloader/", "https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER", "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html" ], "synonyms": [ "ChromeLoader" ], "type": [] }, "uuid": "7cfa3158-ccfc-4c23-8e7a-5d4e9cc1c43f", "value": "Choziosi (Windows)" }, { "description": "ChrGetPdsi is a basic infostealer written in Golang which is designed to steal browser history and logins, and targets Chrome, Edge, and Firefox. The output is written to a text file named chrgetpdsi.txt. Based on the samples analysed, the malware does not appear to have networking capabilities, and therefore it is likely that it is intended to be used in a post-compromise situation where the attacker already has access to the target system and can retrieve the created output file via other means.ChrGetPdsi has been observed being deployed by the Broomstick malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chrgetpdsi_stealer", "https://exchange.xforce.ibmcloud.com/malware-analysis/guid:2f96dded08ec1c2dd039fca21378050c", "https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "3cc84a6b-4706-4ada-9355-7c945bb0eb4f", "value": "ChrGetPdsi Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" ], "synonyms": [ "AndroKINS" ], "type": [] }, "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", "value": "Chthonic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cifty", "http://contagiodump.blogspot.com/2009/06/win32updateexe-md5-eec80fd4c7fc5cf5522f.html" ], "synonyms": [], "type": [] }, "uuid": "8a1af36b-b8e1-4e05-ac42-c2866ffba031", "value": "cifty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi", "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf", "http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/", "https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html" ], "synonyms": [], "type": [] }, "uuid": "d0f0f754-fe9b-45bd-a9d2-c6110c807af4", "value": "Cinobi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinoshi", "https://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/", "https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat", "https://twitter.com/suyog41/status/1633807752127475713?s=20", "https://www.youtube.com/watch?v=-KJ0HIvmVl0" ], "synonyms": [ "Agniane" ], "type": [] }, "uuid": "65f75ea8-c06b-4d8d-b757-e992966667b5", "value": "Cinoshi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html" ], "synonyms": [], "type": [] }, "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", "value": "Citadel" }, { "description": "Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling", "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf", "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", "https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" ], "synonyms": [], "type": [] }, "uuid": "783c8192-d00d-446c-bf06-0ce0cb4bc2c2", "value": "Clambling" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "c433e0f1-760c-41e6-bb62-13eaf7bbf1f4", "value": "CLASSFON" }, { "description": "CLEANTOAD is a disruption tool that will delete file system artifacts, including those related to BLINDTOAD, and will run after a date obtained from a configuration file. The malware injects shellcode into notepad.exe and it overwrites and deletes files, modifies registry keys, deletes services, and clears Windows event logs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cleantoad", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf" ], "synonyms": [], "type": [] }, "uuid": "c0417767-5b98-43b0-b9e7-e43dc7f53c6a", "value": "CLEANTOAD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" ], "synonyms": [], "type": [] }, "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", "value": "Client Maximus" }, { "description": "The ClipBanker Trojan is known as an information stealer and spy trojan, it aims to steal and record any type of sensitive information from the infected environment such as browser history, cookies, Outlook data, Skype, Telegram, or cryptocurrency wallet account addresses. The main goal of this threat is to steal confidential information.\r\n The ClipBanker uses PowerShell commands for executing malicious activities. The thing that made the ClipBanker unique is its ability to record various banking actions of the user and manipulate them for its own benefit. The distribution method of the ClipBanker is through phishing emails or through social media posts that lure users to download malicious content.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker", "https://asec.ahnlab.com/en/35981/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", "https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] }, "uuid": "5d6a9b59-96b1-4bc4-824d-ffe208b99462", "value": "ClipBanker" }, { "description": "A keylogger.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipog", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government" ], "synonyms": [], "type": [] }, "uuid": "0cc6c7a8-9484-4017-97ac-2fd5594f27f8", "value": "Clipog" }, { "description": "Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: \"Dont Worry C|0P\" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://asec.ahnlab.com/en/19542/", "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf", "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://twitter.com/darb0ng/status/1338692764121251840", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/", "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html", "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://unit42.paloaltonetworks.com/clop-ransomware/", "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/", "https://nattothoughts.substack.com/p/ransom-war-russian-extortion-operations", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", "https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/", "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://github.com/Tera0017/TAFOF-Unpacker", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.youtube.com/watch?v=PqGaZgepNTE", "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop", "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26", "https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html", "https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/" ], "synonyms": [], "type": [] }, "uuid": "8071f2d8-cc44-4682-845b-6f39a9f8b587", "value": "Clop (Windows)" }, { "description": "CLOUDBURST aka NickelLoader is an HTTP(S) downloader. \r\n\r\nIt recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode.\r\n\r\nIt uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).\r\n\r\nThe CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen).\r\n\r\nThe CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/", "https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/", "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" ], "synonyms": [ "NickelLoader" ], "type": [] }, "uuid": "3f320960-77a2-4525-8d19-95b6028ec0d5", "value": "CLOUDBURST" }, { "description": "CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye", "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/", "https://twitter.com/sysopfb/status/1258809373159305216", "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services", "https://labs.vipre.com/unloading-the-guloader/", "https://twitter.com/VK_Intel/status/1255537954304524288", "https://gi7w0rm.medium.com/cloudeye-from-lnk-to-shellcode-4b5f1d6d877", "https://blog.vincss.net/vi/re014-guloader-antivm-techniques/", "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943", "https://blog.morphisec.com/guloader-the-rat-downloader", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.spamhaus.com/resource-center/dissecting-the-new-shellcode-based-variant-of-guloader-cloudeye/", "https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader", "https://www.youtube.com/watch?v=N0wAh26wShE", "https://malwation.com/malware-config-extraction-diaries-1-guloader/", "https://asec.ahnlab.com/en/55978/", "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/", "https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/", "https://twitter.com/TheEnergyStory/status/1240608893610459138", "https://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa", "https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans", "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4", "https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", "https://www.joesecurity.org/blog/3535317197858305930", "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/", "https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/", "https://labs.k7computing.com/?p=20156", "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/", "https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/", "https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://twitter.com/VK_Intel/status/1252678206852907011", "https://www.crowdstrike.com/blog/guloader-malware-analysis/", "https://www.youtube.com/watch?v=gk7fCC5RiAQ", "https://labs.k7computing.com/?p=21725Lokesh", "https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf", "https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us", "https://experience.mandiant.com/trending-evil-2/p/1", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://sansorg.egnyte.com/dl/ALlvwK6fp0", "https://www.youtube.com/watch?v=K3Yxu_9OUxU", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://any.run/cybersecurity-blog/deobfuscating-guloader/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/", "https://research.checkpoint.com/2020/guloader-cloudeye/", "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/", "https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/", "https://twitter.com/VK_Intel/status/1257206565146370050", "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader", "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two", "https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195", "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://malwarebookreports.com/guloader-navigating-a-maze-of-intricacy/", "https://twitter.com/TheEnergyStory/status/1239110192060608513", "https://youtu.be/Lt07O3XSNJQ", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", "https://www.youtube.com/watch?v=-FxyzuRv6Wg", "https://cyberint.com/blog/other/guloader-downloaded-a-look-at-the-latest-iteration/" ], "synonyms": [ "GuLoader", "vbdropper" ], "type": [] }, "uuid": "966f54ae-1781-4f2e-8b32-57a242a00bb9", "value": "CloudEyE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudwizard", "https://securelist.com/cloudwizard-apt/109722/" ], "synonyms": [], "type": [] }, "uuid": "4d941367-b22e-4d01-930e-c757b58eff58", "value": "CloudWizard" }, { "description": "F-Secure describes CloudDuke as a malware toolset known to consist of, at least, a downloader, a loader and two backdoor variants. The CloudDuke downloader will download and execute additional malware from a preconfigured location. Interestingly, that location may be either a web address or a Microsoft OneDrive account. Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke. While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", "https://www.f-secure.com/weblog/archives/00002822.html" ], "synonyms": [ "CloudLook", "MiniDionis" ], "type": [] }, "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", "value": "CloudDuke" }, { "description": "According to ESET Research, CloudScout is a toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies. Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda’s signature malware framework.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_scout", "https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/" ], "synonyms": [], "type": [] }, "uuid": "76abb504-a218-444f-a5ce-8921e10c4a4e", "value": "CloudScout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmoon", "https://securelist.ru/how-the-cmoon-worm-collects-data/109988/#" ], "synonyms": [], "type": [] }, "uuid": "0f5a7988-bf8c-4bdc-a4db-782bba424999", "value": "cmoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" ], "synonyms": [], "type": [] }, "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", "value": "CMSBrute" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", "https://twitter.com/ClearskySec/status/963829930776723461", "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [ "meciv" ], "type": [] }, "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", "value": "CMSTAR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot", "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [], "type": [] }, "uuid": "7acd9a27-f550-4c47-9fc8-429b61b04217", "value": "CoalaBot" }, { "description": "This Go written malware was observed during campaign of COBALT MIRAGE; it includes FRP (Fast Reverse Proxy) published by fatedier on GitHub (https://github.com/fatedier/frp) and other projects additionally. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobaltmirage_tunnel", "https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools", "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us" ], "synonyms": [], "type": [] }, "uuid": "a9bebdbf-24b3-40e0-9596-2adf60c3abf8", "value": "CobaltMirage FRP" }, { "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/", "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.malware-traffic-analysis.net/2021/09/29/index.html", "https://asec.ahnlab.com/ko/19860/", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://hitcon.org/2024/CMT/slides/Pirates_of_The_Nang_Hai_Follow_the_Artifacts_of_Tropic_Trooper,_No_One_Knows.pdf", "https://www.mandiant.com/resources/evolution-of-fin7", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/", "https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", "https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/", "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://github.com/Still34/landing/blob/master/assets/slides/2024-08-Sailing%20the%20Seven%20SEAs.pdf", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654", "https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/", "https://us-cert.cisa.gov/ncas/alerts/aa21-148a", "https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware", "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", "https://twitter.com/RedDrip7/status/1402640362972147717?s=20", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/", "https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts", "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811", "https://twitter.com/Unit42_Intel/status/1458113934024757256", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://www.contextis.com/en/blog/dll-search-order-hijacking", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass", "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://www.youtube.com/watch?v=GfbxHy6xnbA", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://x.com/embee_research/status/1737325167024738425?s=46", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.netresec.com/?page=Blog&month=2024-01&post=Hunting-for-Cobalt-Strike-in-PCAP", "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", "https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://embeeresearch.io/ghidra-basics-shellcode-analysis/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf", "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.youtube.com/watch?v=6SDdUVejR2w", "https://blog.group-ib.com/opera1er-apt", "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://web.br.de/interaktiv/ocean-lotus/en/", "https://isc.sans.edu/diary/rss/28934", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/", "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/", "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", "https://skyblue.team/posts/scanning-virustotal-firehose/", "https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/", "https://youtu.be/_VZCocEFHgk?feature=shared", "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", "https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b", "https://blog.exatrack.com/melofee/", "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://embeeresearch.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/", "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear", "https://401trg.com/burning-umbrella/ ", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", "https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight", "https://community.riskiq.com/article/0bcefe76", "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://www.telsy.com/download/5972/?uid=d7c082ba55", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://censys.com/a-beginners-guide-to-hunting-open-directories/", "https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "http://www.secureworks.com/research/threat-profiles/gold-winter", "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", "http://blog.nsfocus.net/murenshark", "https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://twitter.com/MsftSecIntel/status/1535417776290111489", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.accenture.com/us-en/blogs/security/ransomware-hades", "https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", "https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.macnica.net/file/mpression_automobile.pdf", "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", "https://assets.virustotal.com/reports/2021trends.pdf", "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", "https://intel471.com/blog/shipping-companies-ransomware-credentials", "https://www.prevailion.com/what-wicked-webs-we-unweave/", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1", "https://www.youtube.com/watch?v=WW0_TgWT2gs", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors", "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf", "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securelist.com/cve-2024-30051/112618", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/", "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/", "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/", "https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://www.malware-traffic-analysis.net/2021/09/17/index.html", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://www.mandiant.com/resources/unc2452-merged-into-apt29", "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", "https://twitter.com/Unit42_Intel/status/1461004489234829320", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://twitter.com/cglyer/status/1480742363991580674", "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems", "https://www.youtube.com/watch?v=YDtLmhw_nTo", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", "https://jp.security.ntt/tech_blog/appdomainmanager-injection", "https://experience.mandiant.com/trending-evil-2/p/1", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", "https://blogs.blackberry.com/en/2022/01/log4u-shell4me", "https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf", "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware", "https://www.youtube.com/watch?v=YCwyc6SctYs", "https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire", "https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/", "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", "https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", "https://twitter.com/GossiTheDog/status/1438500100238577670", "https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/", "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", "https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack", "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.youtube.com/watch?v=gfYswA_Ronw", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/", "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/", "https://connormcgarr.github.io/thread-hijacking/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/", "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://d01a.github.io/syscalls/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://blog.group-ib.com/apt41-world-tour-2021", "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", "https://unit42.paloaltonetworks.com/cobalt-strike-team-server/", "https://blog.talosintelligence.com/2021/05/ctir-case-study.html", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", "https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks", "https://blog.zsec.uk/cobalt-strike-profiles/", "https://isc.sans.edu/diary/rss/27618", "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns", "https://asec.ahnlab.com/en/47455/", "https://isc.sans.edu/diary/28636", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", "https://malwarebookreports.com/cryptone-cobalt-strike/", "https://attack.mitre.org/groups/G0096", "https://blog.talosintelligence.com/warmcookie-analysis/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf", "https://www.inde.nz/blog/different-kind-of-zoombomb", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://www.youtube.com/watch?v=C733AyPzkoc", "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk", "https://cert.gov.ua/article/703548", "https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", "https://embee-research.ghost.io/decoding-a-cobalt-strike-vba-loader-with-cyberchef/", "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection", "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://community.riskiq.com/article/f0320980", "https://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/", "https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink", "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://www.secureworks.com/research/darktortilla-malware-analysis", "https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", "https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/", "https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.youtube.com/watch?v=FC9ARZIZglI", "https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", "https://www.mandiant.com/resources/defining-cobalt-strike-components", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf", "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", "https://www.youtube.com/watch?v=borfuQGrB8g", "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/", "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", "https://isc.sans.edu/diary/27308", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://www.youtube.com/watch?v=XfUTpwZKCDU", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://embee-research.ghost.io/ghidra-basics-shellcode-analysis/", "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine", "https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", "https://isc.sans.edu/diary/rss/28752", "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise", "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/", "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", "https://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks", "https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/", "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/", "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/", "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://embee-research.ghost.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/", "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", "https://cert.gov.ua/article/339662", "https://isc.sans.edu/diary/rss/27176", "https://embee-research.ghost.io/shodan-censys-queries/", "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", "https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion", "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://twitter.com/redcanary/status/1334224861628039169", "https://www.mandiant.com/resources/apt41-us-state-governments", "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", "https://blog.macnica.net/blog/2020/11/dtrack.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", "https://www.cynet.com/understanding-squirrelwaffle/", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/", "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://twitter.com/alex_lanstein/status/1399829754887524354", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a", "https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/", "https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes", "https://isc.sans.edu/diary/rss/26862", "https://blog.cobaltstrike.com/", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://paper.seebug.org/1301/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf", "https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services", "https://www.malware-traffic-analysis.net/2023/10/03/index.html", "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", "https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://securelist.com/apt-luminousmoth/103332/", "https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://twitter.com/TheDFIRReport/status/1359669513520873473", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering", "https://cert.gov.ua/article/37704", "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html", "https://github.com/sophos-cybersecurity/solarwinds-threathunt", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups", "https://twitter.com/elisalem9/status/1398566939656601606", "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/", "https://www.mandiant.com/media/10916/download", "https://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/", "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20", "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://twitter.com/vikas891/status/1385306823662587905", "https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html", "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", "https://asec.ahnlab.com/ko/19640/", "https://malware-traffic-analysis.net/2021/09/29/index.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign", "https://www.ic3.gov/Media/News/2021/210823.pdf", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://asec.ahnlab.com/en/31811/", "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", "https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html", "https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7", "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://twitter.com/ffforward/status/1324281530026524672", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://blog.group-ib.com/REvil_RaaS", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", "https://www.secureworks.com/research/threat-profiles/gold-waterfall", "https://embee-research.ghost.io/ghidra-entropy-analysis-locating-decryption-functions/", "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", "https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf", "https://redcanary.com/blog/gootloader", "https://boschko.ca/cobalt-strike-process-injection/", "https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a", "https://wbglil.gitbook.io/cobalt-strike/", "https://www.brighttalk.com/webcast/7451/462719", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", "https://www.cobaltstrike.com/support", "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", "https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/", "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://twitter.com/felixw3000/status/1521816045769662468", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/", "https://netresec.com/?b=214d7ff", "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", "https://www.bitsight.com/blog/emotet-botnet-rises-again", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://www.youtube.com/watch?v=pIXl79IPkLI", "https://x.com/embee_research/status/1736758775326146778", "https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia", "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", "https://redcanary.com/blog/grief-ransomware/", "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", "https://blog.group-ib.com/colunmtk_apt41", "https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/", "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", "https://www.tgsoft.it/news/news_archivio.asp?id=1568", "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/", "https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html", "https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://blogs.blackberry.com/en/2021/11/zebra2104", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://embeeresearch.io/shodan-censys-queries/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/", "https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/", "https://github.com/chronicle/GCTI", "https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e", "https://twitter.com/TheDFIRReport/status/1356729371931860992", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://github.com/Apr4h/CobaltStrikeScan", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718", "https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", "https://hitcon.org/2023/CMT/slide/Unmasking%20CamoFei_An%20In-depth%20Analysis%20of%20an%20Emerging%20APT%20Group%20Focused%20on%20Healthcare%20Sectors%20in%20East%20Asia.pdf", "https://www.istrosec.com/blog/apt-sk-cobalt/", "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", "https://www.mandiant.com/resources/sabbath-ransomware-affiliate", "https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/Cryptolaemus1/status/1407135648528711680", "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b", "https://isc.sans.edu/diary/26752", "https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/", "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive", "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", "https://www.youtube.com/watch?v=y65hmcLIWDY", "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/", "https://cert.gov.ua/article/619229", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.elastic.co/security-labs/grimresource", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://community.riskiq.com/article/c88cf7e6", "https://www.youtube.com/watch?v=ysN-MqyIN7M", "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", "https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7", "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/MBThreatIntel/status/1412518446013812737", "https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2", "https://www.mandiant.com/media/12596/download", "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf", "https://isc.sans.edu/diary/rss/28664", "https://redcanary.com/blog/getsystem-offsec/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/", "https://www.arashparsa.com/hook-heaps-and-live-free/", "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://www.ironnet.com/blog/ransomware-graphic-blog", "https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting", "https://asec.ahnlab.com/en/34549/", "https://zero.bs/cobaltstrike-beacons-analyzed.html", "https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors", "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", "https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications", "https://malwarelab.eu/posts/fin6-cobalt-strike/", "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", "https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/", "https://twitter.com/MsftSecIntel/status/1522690116979855360", "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", "https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html", "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/", "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", "https://isc.sans.edu/diary/rss/28448", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://twitter.com/VK_Intel/status/1294320579311435776", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a" ], "synonyms": [ "Agentemis", "BEACON", "CobaltStrike", "cobeacon" ], "type": [] }, "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "value": "Cobalt Strike" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html" ], "synonyms": [], "type": [] }, "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", "value": "Cobian RAT" }, { "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.netscout.com/blog/asert/double-infection-double-fun", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.group-ib.com/blog/renaissance", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "COOLPANTS" ], "type": [] }, "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", "value": "CobInt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", "https://www.youtube.com/watch?v=FttiysUZmDw", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://github.com/hfiref0x/TDL", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf", "https://docs.broadcom.com/doc/waterbug-attack-group", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon", "https://www.circl.lu/pub/tr-25/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Carbon" ], "type": [] }, "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", "value": "Cobra Carbon System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", "https://twitter.com/JaromirHorejsi/status/817311664391524352" ], "synonyms": [], "type": [] }, "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", "value": "CockBlocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" ], "synonyms": [], "type": [] }, "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", "value": "CodeKey" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.code_core", "https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a" ], "synonyms": [], "type": [] }, "uuid": "3952f4e0-0621-4bc3-bc6f-a848e0e49bd1", "value": "CodeCore" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" ], "synonyms": [], "type": [] }, "uuid": "9481d7b1-307c-4504-9333-21720b85317b", "value": "Cohhoc" }, { "description": "Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", "https://www.triskelelabs.com/investigating-monero-coin-miner", "https://secrary.com/ReversingMalware/CoinMiner/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/", "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" ], "synonyms": [], "type": [] }, "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", "value": "Coinminer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldbrew", "https://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild" ], "synonyms": [], "type": [] }, "uuid": "b30a19b2-383b-4ca5-a047-00910b8a3e03", "value": "coldbrew" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldlock", "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5" ], "synonyms": [], "type": [] }, "uuid": "140f271b-0be1-4455-96c6-015632ade33a", "value": "ColdLock" }, { "description": "Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal).\r\nIt was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload.\r\nNote: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal", "https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html", "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", "https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html", "https://www.youtube.com/watch?v=242Tn0IL2jE", "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/" ], "synonyms": [ "ColdSeal" ], "type": [] }, "uuid": "8d5b7766-673c-493f-b760-65afd61689cb", "value": "Cold$eal" }, { "description": "ColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main purpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data. When the infostealer collects information that will be stolen, it saves the information in the ZIP form instead of files in the memory. Doing so will allow the malware to bypass detection as there are no traces of files and execution. The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to the hardcoded command and control (C2) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldstealer", "https://asec.ahnlab.com/ko/31703/", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://asec.ahnlab.com/en/32090/" ], "synonyms": [], "type": [] }, "uuid": "5869f846-adf8-4798-833e-54c05f9b30f6", "value": "ColdStealer" }, { "description": "According to cloudsek, Colibri Loader is a form of malware designed to facilitate the installation of additional malware types on an already compromised system. This loader employs various techniques to evade detection, such as excluding the Import Address Table (IAT) and utilizing encrypted strings to complicate analysis. Similar to other loader malware, Colibri can be utilized to deploy information-stealing malware, potentially leading to significant loss of sensitive data. As a result, users should exercise caution when encountering unfamiliar files on their systems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri", "https://fr3d.hk/blog/colibri-loader-back-to-basics", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", "https://github.com/Casperinous/colibri_loader", "https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/", "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/" ], "synonyms": [], "type": [] }, "uuid": "09926538-a7a0-413b-bc7d-4b20a8f4b515", "value": "Colibri Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.collection_rat", "https://blog.talosintelligence.com/lazarus-collectionrat/" ], "synonyms": [], "type": [] }, "uuid": "6c6570f3-b407-458f-bb83-647c0b1f5dd9", "value": "Collection RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba", "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html", "https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/" ], "synonyms": [ "Collector Stealer" ], "type": [] }, "uuid": "5c0f96fd-54c0-44cd-9caf-b986e3fa2879", "value": "CollectorGoomba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", "https://pastebin.com/GtjBXDmz", "https://secrary.com/ReversingMalware/Colony_Bandios/", "https://twitter.com/anyrun_app/status/976385355384590337" ], "synonyms": [ "Bandios", "GrayBird" ], "type": [] }, "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", "value": "Colony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" ], "synonyms": [], "type": [] }, "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", "value": "Combojack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", "value": "Combos" }, { "description": "ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.\r\n\r\nIt is an HTTP(S) downloader.\r\n\r\nIt uses the AES CBC cipher implemented through the OpenSSL's EVP interface for decryption of its configuration, and also for encryption and decryption of the client-server communication. \r\n\r\nThe parameter names in HTTP POST requests of the client are generated randomly. As the initial connection, the client exchanges the keys with the server via the Diffie–Hellman key agreement protocol for the elliptic curve secp521r1. The client generates a random 32-bytes long private key, and the server responds with its public key in a buffer starting with the wide character \"0\".\r\n\r\nNext, the clients sends the current local time, and the server responds with a buffer containing multiple values separated with the pipe symbol. The typical values are the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL to verify the authenticity of the payload. \r\n\r\nThere are variants of ComeBacker without statically linked OpenSSL. In that case, the key exchange is omitted and AES CBC is replaced with HC-256.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker", "https://download.hauri.net/DownSource/down/dwn_detail_down.html?uid=55", "https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", "https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/", "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/", "https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/", "https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/", "https://www.anquanke.com/post/id/230161" ], "synonyms": [], "type": [] }, "uuid": "44240b4b-09d3-4b6b-a077-bce00c35ea38", "value": "ComeBacker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comfoo", "https://www.secureworks.com/research/secrets-of-the-comfoo-masters" ], "synonyms": [], "type": [] }, "uuid": "f5044eda-3119-4fcf-b8af-9b56ab66b9be", "value": "Comfoo" }, { "description": "ComLook is a malicious plugin for the mail client \"The Bat!\", written in C++ and compiled with MSVC 10.0. It implements malicious commands like PutFile, GetFile, SetConfig, GetConfig, and Command. It contains hard-coded email addresses and other information, indicating a target in Azerbaijan. It was first uploaded to VirusTotal on January 12, 2022, and is associated with the APT group Turla. It appears to be a targeted deployment.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comlook", "https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook", "https://twitter.com/ClearskySec/status/1484211242474561540" ], "synonyms": [], "type": [] }, "uuid": "7726de54-95cc-4783-b26f-79882f0f6cba", "value": "ComLook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic", "https://securelist.com/bad-magic-apt/109087/", "https://securelist.com/cloudwizard-apt/109722/", "https://securelist.com/bad-magic-apt/109087/?s=31" ], "synonyms": [], "type": [] }, "uuid": "600b553b-660b-4bbd-9c5d-4e91af9d276a", "value": "CommonMagic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" ], "synonyms": [], "type": [] }, "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", "value": "ComodoSec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun", "https://securelist.com/compfun-http-status-based-trojan/96874/", "https://securelist.com/compfun-successor-reductor/93633/", "https://securelist.com/it-threat-evolution-q2-2020/98230", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence" ], "synonyms": [ "Reductor RAT" ], "type": [] }, "uuid": "541d5642-0648-4b5a-97b9-81110f273771", "value": "COMpfun" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/" ], "synonyms": [ "lojack" ], "type": [] }, "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", "value": "Computrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", "https://twitter.com/struppigel/status/816926371867926528" ], "synonyms": [], "type": [] }, "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", "value": "ComradeCircle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", "value": "concealment_troy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", "https://redcanary.com/blog/intelligence-insights-january-2022/", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://github.com/tillmannw/cnfckr", "http://contagiodump.blogspot.com/2009/05/win32conficker.html", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md", "https://www.minitool.com/backup-tips/conficker-worm.html" ], "synonyms": [ "Kido", "downadup", "traffic converter" ], "type": [] }, "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", "value": "Conficker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://blog.nsfocus.net/aptconfuciuspakistanibo/", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/", "https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" ], "synonyms": [], "type": [] }, "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", "value": "Confucius" }, { "description": "Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti", "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", "https://www.connectwise.com/resources/conti-profile", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger", "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79", "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://github.com/cdong1012/ContiUnpacker", "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://twitter.com/AltShiftPrtScn/status/1423188974298861571", "https://www.youtube.com/watch?v=uORuVVQzZ0A", "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti", "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", "https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", "https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b", "https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia", "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", "https://securelist.com/luna-black-basta-ransomware/106950", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://twitter.com/TheDFIRReport/status/1498642512935800833", "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", "https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/", "https://www.mbsd.jp/research/20210413/conti-ransomware/", "https://nattothoughts.substack.com/p/ransom-war-russian-extortion-operations", "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", "https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/", "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", "https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/", "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf", "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", "https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/", "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up", "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware", "https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html", "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html", "https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/", "https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.youtube.com/watch?v=hmaWy9QIC7c", "https://www.youtube.com/watch?v=cYx7sQRbjGA", "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", "https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://github.com/TheParmak/conti-leaks-englished", "https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware", "https://intel471.com/blog/conti-leaks-cybercrime-fire-team", "https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", "https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/", "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", "https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/", "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", "https://arcticwolf.com/resources/blog/karakurt-web", "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", "https://twitter.com/AltShiftPrtScn/status/1417849181012647938", "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", "https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf", "https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html", "https://github.com/whichbuffer/Conti-Ransomware-IOC", "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8", "https://unit42.paloaltonetworks.com/conti-ransomware-gang/", "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", "https://www.threatstop.com/blog/conti-ransomware-source-code-leaked", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", "https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html", "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed", "https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/", "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", "https://intel471.com/blog/shipping-companies-ransomware-credentials", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://www.ic3.gov/Media/News/2021/210521.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html", "https://www.prevailion.com/what-wicked-webs-we-unweave/", "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.0ffset.net/reverse-engineering/capstone-resolving-stack-strings/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.ironnet.com/blog/ransomware-graphic-blog", "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", "https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/", "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked", "https://github.com/EmissarySpider/ransomware-descendants", "https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/", "https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/", "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", "https://share.vx-underground.org/Conti/", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf" ], "synonyms": [], "type": [] }, "uuid": "c9dca6f3-2a84-4abe-8f33-ccb7a7a0246c", "value": "Conti (Windows)" }, { "description": "FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [ "WHITEOUT" ], "type": [] }, "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", "value": "Contopee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", "value": "CookieBag" }, { "description": "According to PCRIsk, CopperStealer, also known as Mingloa, is a malicious program designed to steal sensitive/personal information. It also has the capability to cause chain infections (i.e., download/install additional malware).\r\n\r\nSignificant activity of CopperStealer has been observed in Brazil, India, Indonesia, Pakistan, and the Philippines. At the time of research, this malware had been noted being spread via websites offering illegal activation tools (\"cracks\") for licensed software products.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.copper_stealer", "https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html", "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft" ], "synonyms": [ "Mingloa" ], "type": [] }, "uuid": "87afcc5d-27f6-4427-b43c-4621a66e5041", "value": "CopperStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", "https://www.crowdstrike.com/blog/ecrime-ecosystem/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" ], "synonyms": [], "type": [] }, "uuid": "495377c4-1be5-4c65-ba66-94c221061415", "value": "Corebot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn", "https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription", "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html", "https://blog.alyac.co.kr/2105", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" ], "synonyms": [], "type": [] }, "uuid": "331f0c80-a795-48aa-902e-0b0d57de85f5", "value": "CoreDN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://malware.prevenity.com/2014/08/malware-info.html", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" ], "synonyms": [ "SOURFACE" ], "type": [] }, "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", "value": "Coreshell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware", "https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html" ], "synonyms": [ "CoronaVirus Cover-Ransomware" ], "type": [] }, "uuid": "ba683942-1524-459a-ad46-827464967164", "value": "CoronaVirus Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cosmicduke", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/" ], "synonyms": [], "type": [] }, "uuid": "14990e2c-81a2-4750-b9a8-7535d152e437", "value": "CosmicDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" ], "synonyms": [], "type": [] }, "uuid": "47190b56-5176-4e8b-8c78-fcc10e511fa2", "value": "Cotx RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cova", "https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer" ], "synonyms": [], "type": [] }, "uuid": "cad667c1-be0a-49db-b2fb-462082a04fbe", "value": "Cova" }, { "description": "Covicli is a modified SSLeay32 dynamic library designated as a backdoor.\r\nThe dynamic library allows the attacker to communicate with the C2 over openSSL.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.covicli", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" ], "synonyms": [ "Covically" ], "type": [] }, "uuid": "e8986c0c-2997-425d-ae4e-529f82d3fa48", "value": "Covicli" }, { "description": "Destructive \"joke\" malware that ultimately deploys a wiper for the MBR.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.covid22", "https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr" ], "synonyms": [], "type": [] }, "uuid": "d4796a4f-63f0-42f0-a043-fb91416c29d2", "value": "Covid22" }, { "description": "PCRisk notes that CoViper is yet another Coronavirus/COVID-19-themed malware infection, most likely proliferated as a file related to the pandemic. It operates by rewriting the system Master Boot Record (MBR). It does not delete the original, but rather creates a backup and replaces it with a custom MBR.\r\n\r\nTypically, malicious software that modifies MBRs do so to prevent the Operating System (OS) from being booted (i.e., started). It also displays a screen-encompassing message, often containing a ransom message - this disables user access to the device. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper", "https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/", "https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html" ], "synonyms": [], "type": [] }, "uuid": "4d7d8496-52a6-47dc-abfe-4997af6dc465", "value": "CoViper" }, { "description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n• Command execution module for executing arbitrary Windows Command Prompt commands\r\n• Password stealer module\r\n• NT LAN Manager (NTLM) hash stealer module\r\n• System information gathering module\r\n• Screenshot module", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cozyduke", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html" ], "synonyms": [ "Cozer", "CozyBear", "CozyCar", "EuroAPT" ], "type": [] }, "uuid": "b461afd0-f5fd-4c25-8367-4235a6e8b9b1", "value": "COZYDUKE" }, { "description": "According to ANY.RUN, this is a dropper for win.privateloader and its execution will lead to a cascade of downloads with a large variety of additional malware.\r\nThe families include more loaders, information stealers, cryptominers, a proxy bot, and ultimately also ransomware. \r\nThe execution order is orchestrated, e.g. as in data is stolen and exfiltrated before encryption.\r\nIt is distributed through advertized cracked software, e.g. IDA Pro.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crackedcantil", "https://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65", "https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://www.cloudsek.com/blog/from-discussion-forums-to-malware-mayhem-the-alarming-rise-of-abuse-on-google-groups-and-usenet", "https://otx.alienvault.com/pulse/65ba54eeaea0fcd931ff3b3b/", "https://www.infostealers.com/article/crackedcantil-a-malware-symphony-breakdown/", "https://www.pcrisk.com/removal-guides/28989-crackedcantil-malware", "https://gridinsoft.com/blogs/crackedcantil-dropper-malware/", "https://xfe-integration.xforce.ibm.com/osint/guid:f8f1276c350a70b7b543990e4fb53a76" ], "synonyms": [], "type": [] }, "uuid": "000693a0-b4a6-4d8d-8276-d12403c71196", "value": "CrackedCantil" }, { "description": "CRACKSHOT is a downloader that can download files, including binaries, and run them from the hard disk or execute them directly in memory. It is also capable of placing itself into a dormant state.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crackshot", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "cfa111c1-3740-4832-8e89-12a536f4fff9", "value": "crackshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore" ], "synonyms": [], "type": [] }, "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", "value": "CradleCore" }, { "description": "According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat", "https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg", "https://www.secrss.com/articles/18635", "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html", "https://suspected.tistory.com/269", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] }, "uuid": "ca901b56-b733-44af-aee2-38da79188dcb", "value": "CRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "9d193a65-dc18-4832-9daa-aab245cd1c86", "value": "CREAMSICLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.credomap", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf", "https://cert.gov.ua/article/341128", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://securityscorecard.com/research/apt28s-stealer-called-credomap" ], "synonyms": [], "type": [] }, "uuid": "37e6844c-4e45-4297-ac6e-afc98d37d994", "value": "CredoMap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", "value": "Credraptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.creepysnail", "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" ], "synonyms": [], "type": [] }, "uuid": "a95d4aaa-302e-4a3c-a071-ba8eed978920", "value": "CreepySnail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.creep_exfil", "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" ], "synonyms": [], "type": [] }, "uuid": "fc743725-2fa6-48dd-8797-57e298375505", "value": "CreepExfil" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" ], "synonyms": [], "type": [] }, "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", "value": "Crenufs" }, { "description": "It was first discovered in 2017 and has since been used to attack organizations around the world. The malware is often distributed through phishing emails or by exploiting vulnerabilities in outdated security software. Once Crimson RAT is installed on a computer, it can be used to steal data, spy on users, and even take control of the infected computers.\r\n\r\nSome of the features of Crimson RAT include:\r\n\r\nRemote control of infected computers\r\nData theft, such as passwords, files, and emails\r\nUser spying\r\nTakeover of infected computers\r\nLocking of infected computers\r\nExtortion of payments", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://blog.yoroi.company/research/transparent-tribe-four-years-later", "https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/", "https://s.tencent.com/research/report/669.html", "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1", "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html", "https://www.4hou.com/posts/vLzM", "https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf", "https://twitter.com/katechondic/status/1502206599166939137", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", "https://securelist.com/transparent-tribe-part-2/98233/", "https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/", "https://twitter.com/teamcymru/status/1351228309632385027", "https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF", "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/", "https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east", "https://www.secrss.com/articles/24995", "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/", "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", "https://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", "https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/", "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", "https://securelist.com/transparent-tribe-part-1/98127/", "https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://twitter.com/teamcymru_S2/status/1501955802025836546", "https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [ "SEEDOOR", "Scarimson" ], "type": [] }, "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", "value": "Crimson RAT" }, { "description": "According to ThreatConnect, CrimsonIAS is a Delphi-written backdoor dating back to at least 2017. It enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimsonias", "https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/", "https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user/" ], "synonyms": [], "type": [] }, "uuid": "6f2a68d1-06a9-4657-98d8-590a6446e475", "value": "CrimsonIAS" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cring", "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf" ], "synonyms": [], "type": [] }, "uuid": "f5a19987-d0b6-4cc3-89ab-d4540f2e9744", "value": "Cring" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosslock", "https://twitter.com/1ZRR4H/status/1648232869809078273" ], "synonyms": [], "type": [] }, "uuid": "505dc6be-56f3-49ca-be11-45b3e78a4ac2", "value": "CrossLock" }, { "description": "According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk", "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://thehackernews.com/2021/01/researchers-disclose-undocumented.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://www.youtube.com/watch?v=FttiysUZmDw", "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/", "https://twitter.com/MrDanPerez/status/1159459082534825986", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.youtube.com/watch?v=8x-pGlWpIYI", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "synonyms": [ "Motnug", "ProxIP", "TOMMYGUN" ], "type": [] }, "uuid": "7ca7c08b-36fd-46b3-8b9e-a8b0d4743433", "value": "CROSSWALK" }, { "description": "According to Trend Micro, this is a custom loader for win.cobalt_strike, used by Earth Longzhi (a subgroup of APT41).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.croxloader", "https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html" ], "synonyms": [], "type": [] }, "uuid": "48d697ec-aa34-4d98-83e4-17b736d59a85", "value": "Croxloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cruloader", "https://malwarebookreports.com/cruloader-zero2auto/", "https://0x0d4y.blog/zero2automated-custom-sample/" ], "synonyms": [], "type": [] }, "uuid": "22d90775-cdcc-4c80-bb0a-1503275671c7", "value": "CruLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf" ], "synonyms": [], "type": [] }, "uuid": "e7dc138f-00cb-4db6-a6e7-3ecac853285d", "value": "Crutch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/", "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", "https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html", "https://twitter.com/albertzsigovits/status/1217866089964679174", "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", "https://twitter.com/demonslay335/status/971164798376468481", "https://securelist.com/cis-ransomware/104452/", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", "https://twitter.com/bartblaze/status/1305197264332369920", "https://hackmag.com/security/ransomware-russian-style/", "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300" ], "synonyms": [ "CryLock" ], "type": [] }, "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", "value": "Cryakl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" ], "synonyms": [], "type": [] }, "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", "value": "CryLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] }, "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", "value": "CrypMic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" ], "synonyms": [], "type": [] }, "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", "value": "Crypt0l0cker" }, { "description": "A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot", "https://asec.ahnlab.com/en/24423/", "https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html", "https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/", "https://asec.ahnlab.com/en/35981/", "https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/", "https://experience.mandiant.com/trending-evil-2/p/1", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/", "https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger", "https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/", "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf", "https://fr3d.hk/blog/cryptbot-too-good-to-be-true", "https://asec.ahnlab.com/en/31683/", "https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf", "https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer", "https://asec.ahnlab.com/en/26052/", "https://asec.ahnlab.com/en/31802/" ], "synonyms": [], "type": [] }, "uuid": "2274aaf6-4807-4cda-8f5b-16a757f4ff23", "value": "CryptBot" }, { "description": "CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the \"Scarlet Mimic\" threat actor in order to quickly evade AV systems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo", "https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/" ], "synonyms": [], "type": [] }, "uuid": "972fbb7b-6945-42d8-ba88-a7b4e6fc1ad4", "value": "CrypticConvo" }, { "description": "According to OALabs, this ransomware has the following features: \r\n* Files are encrypted with AES CBC using a generated 256 bit key and IV.\r\n* The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptnet", "https://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html", "https://blog.cyber5w.com/cryptnet-ransomware-analysis" ], "synonyms": [], "type": [] }, "uuid": "99c468a2-c69f-4c9c-9941-0627052001b2", "value": "CryptNET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoclippy", "https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/", "https://labs.k7computing.com/index.php/cryptoclip-hijacker/" ], "synonyms": [], "type": [] }, "uuid": "7c296221-3945-4803-b25f-1e221b513f0d", "value": "CryptoClippy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptodarkrubix", "https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html" ], "synonyms": [ "Ranet" ], "type": [] }, "uuid": "c6d09bb2-5673-4b2b-b2cb-5d14f2568189", "value": "CryptoDarkRubix" }, { "description": "CryptoJoker is an open source ransomware written in C#.\r\nCryptoJoker uses a combination of a \"custom XOR\" encryption and RSA. A private public/private pair key is generated for every computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptojoker", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/plutocrypt-a-cryptojoker-ransomware-variant" ], "synonyms": [ "PlutoCrypt" ], "type": [] }, "uuid": "01cb8122-7a24-436f-85d3-d6a306800f10", "value": "CryptoJoker" }, { "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://www.secureworks.com/research/cryptolocker-ransomware", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "http://www.secureworks.com/research/threat-profiles/gold-evergreen" ], "synonyms": [], "type": [] }, "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", "value": "CryptoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" ], "synonyms": [], "type": [] }, "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", "value": "CryptoLuck" }, { "description": "A variant of CryptoMix is win.clop. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/new-azer-cryptomix-ransomware-variant-released/" ], "synonyms": [ "Azer", "CryptFile2" ], "type": [] }, "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", "value": "CryptoMix" }, { "description": "CryptoPatronum is a ransomware that encrypts user data through AES-256 (CBC) and it asks for BTC / ETH in order to get back the original files. In the ransom note there is not a title but only a reference to crsss.exe: its original file name. Once the files are encrypted, CryptoPatronum adds a .enc extension. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptopatronum", "https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "738acbd6-d0b7-40fd-bc1b-d7fbb74cbbf9", "value": "CryptoPatronum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", "https://twitter.com/struppigel/status/810770490491043840" ], "synonyms": [], "type": [] }, "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", "value": "Cryptorium" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", "value": "CryptoShield" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" ], "synonyms": [], "type": [] }, "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", "value": "CryptoShuffler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoslay", "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks" ], "synonyms": [], "type": [] }, "uuid": "4c49912a-fe14-40e7-90eb-3ffb0b3453f2", "value": "CRYPTOSLAY" }, { "description": "CryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f" ], "synonyms": [], "type": [] }, "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", "value": "Cryptowall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" ], "synonyms": [], "type": [] }, "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", "value": "CryptoWire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" ], "synonyms": [], "type": [] }, "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", "value": "CryptoFortress" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", "https://twitter.com/JaromirHorejsi/status/818369717371027456" ], "synonyms": [], "type": [] }, "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", "value": "CryptoRansomeware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", "https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] }, "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", "value": "CryptXXXX" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox", "https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" ], "synonyms": [], "type": [] }, "uuid": "c7fb0acb-018b-47eb-8555-5a0291e2505e", "value": "Crytox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", "value": "CsExt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer", "https://blog.talosintelligence.com/warmcookie-analysis/", "https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/", "https://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/", "https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/" ], "synonyms": [], "type": [] }, "uuid": "54d757df-8da2-4f6e-8789-8790d6a73e46", "value": "csharp-streamer RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ctb_locker", "https://samvartaka.github.io/malware/2015/11/20/ctb-locker", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/" ], "synonyms": [], "type": [] }, "uuid": "e8e28718-fe55-4d31-8b84-f8ff0acf0614", "value": "CTB Locker" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware", "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/", "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf", "https://www.mandiant.com/resources/unc2596-cuba-ransomware", "https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/", "https://securelist.com/cuba-ransomware/110533/", "https://blog.group-ib.com/hancitor-cuba-ransomware", "https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html", "https://www.ic3.gov/Media/News/2021/211203-2.pdf", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf", "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", "https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/", "https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more", "https://lab52.io/blog/cuba-ransomware-analysis/", "https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/" ], "synonyms": [ "COLDDRAW" ], "type": [] }, "uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65", "value": "Cuba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html" ], "synonyms": [], "type": [] }, "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", "value": "Cuegoe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" ], "synonyms": [], "type": [] }, "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", "value": "Cueisfry" }, { "description": "Potential Lazarus sample.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cur1_downloader", "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", "https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ", "https://twitter.com/RedDrip7/status/1595365451495706624", "https://securelist.com/bluenoroff-methods-bypass-motw/108383/" ], "synonyms": [], "type": [] }, "uuid": "cca4f240-ac69-437e-b02a-5483ebef5087", "value": "Cur1Downloader" }, { "description": "Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.curator", "https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/", "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/", "https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf" ], "synonyms": [ "Ever101", "SunnyDay" ], "type": [] }, "uuid": "f1d2093b-e008-4591-8a67-5b9c7684b8c6", "value": "Curator" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cursed_murderer", "https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "600a73bf-d699-4400-ac35-6aed4ae5e528", "value": "Cursed Murderer" }, { "description": "CustomerLoader is a .Net-based loader that drops more than 40 different malware families. It appeared in June 2023 and is being distributed via phishing, YouTube videos and malicious websites.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.customerloader", "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers" ], "synonyms": [], "type": [] }, "uuid": "b002e530-38d5-48cf-90a9-5731871fae32", "value": "CustomerLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" ], "synonyms": [], "type": [] }, "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", "value": "Cutlet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://darknetdiaries.com/episode/110/", "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", "value": "Cutwail" }, { "description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victim’s system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", "https://blog.cyber5w.com/cybergate-malware-analysis", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.subexsecure.com/pdf/malware-reports/2021-05/cybergate-threat-report.pdf", "https://sectrio.com/wp-content/uploads/2021/08/cybergate-threat-report.pdf", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "Rebhip" ], "type": [] }, "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", "value": "CyberGate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" ], "synonyms": [], "type": [] }, "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", "value": "CyberSplitter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" ], "synonyms": [], "type": [] }, "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", "value": "CycBot" }, { "description": "According to gdatasoftware, Cyrat ransomware uses Fernet to encrypt files. This is a symmetric encryption method meant for small data files that fit into RAM. While Fernet is not unusual itself, it is not common for ransomware and in this case even problematic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat", "https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html", "https://www.gdatasoftware.com/blog/cyrat-ransomware" ], "synonyms": [], "type": [] }, "uuid": "1995ed0a-81d9-43ca-9b38-6f001af84bbc", "value": "Cyrat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cysxl", "https://www.enigmasoftware.com/bkdrcysxla-removal/" ], "synonyms": [], "type": [] }, "uuid": "8db13fca-8f75-44dd-b507-e4d3f9c69d78", "value": "cysxl" }, { "description": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", "https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/", "https://malwareandstuff.com/peb-where-magic-is-stored/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.sygnia.co/mata-framework", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/" ], "synonyms": [ "MATA" ], "type": [] }, "uuid": "7c2b19be-f06b-4b21-b003-144e92d291d1", "value": "Dacls (Windows)" }, { "description": "DADJOKE was discovered as being distributed via email, targeting a South-East Asian Ministry of Defense. It is delivered as an embedded EXE file in a Word document using remote templates and a unique macro using multiple GET requests. The payload is deployed using load-order hijacking with a benign Windows Defender executable. Stage 1 has only beacon+download functionality, made to look like a PNG file. Additional analysis by Kaspersky found 8 campaigns over 2019 and no activity prior to January 2019, DADJOKE is attributed with medium confidence to APT40.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke", "https://twitter.com/a_tweeter_user/status/1154764787823316993", "https://www.youtube.com/watch?v=vx9IB88wXSE", "https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9", "https://twitter.com/ClearskySec/status/1110941178231484417", "https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts", "https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/" ], "synonyms": [], "type": [] }, "uuid": "3cf1aa5a-c19d-4b50-a604-e445e1e2b4f1", "value": "DADJOKE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache", "https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html", "https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97", "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", "https://twitter.com/killamjr/status/1204584085395517440", "https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a", "https://twitter.com/cyb3rops/status/1199978327697694720" ], "synonyms": [], "type": [] }, "uuid": "cd9aac83-bdd0-4622-ae77-405d5b9c1dc5", "value": "DADSTACHE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", "value": "Dairy" }, { "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", "https://www.youtube.com/watch?v=04RsqP_P9Ss", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", "https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service", "https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques", "https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://securelist.com/tusk-infostealers-campaign/113367/", "https://assets.virustotal.com/reports/2021trends.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity", "https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://twitter.com/MsftSecIntel/status/1730383711437283757", "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github", "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.esentire.com/blog/danabots-latest-move-deploying-icedid", "https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://asec.ahnlab.com/en/30445/", "https://flashpoint.io/blog/danabot-version-3-what-you-need-to-know/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.mandiant.com/resources/supply-chain-node-js", "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", "https://security-soup.net/decoding-a-danabot-downloader/", "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", "https://www.esentire.com/blog/from-darkgate-to-danabot", "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/", "https://research.checkpoint.com/danabot-demands-a-ransom-payment/", "https://twitter.com/f0wlsec/status/1459892481760411649", "https://blog.lexfo.fr/danabot-malware.html", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/" ], "synonyms": [], "type": [] }, "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", "value": "DanaBot" }, { "description": "Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot", "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf", "https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f", "https://www.youtube.com/watch?v=FttiysUZmDw", "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" ], "synonyms": [], "type": [] }, "uuid": "98d3c6b3-c29f-46ba-b24d-88b135cd3183", "value": "danbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daolpu", "https://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/", "https://www.loginsoft.com/post/blue-screen-mayhem-when-crowdstrikes-glitch-became-threat-actors-playground" ], "synonyms": [], "type": [] }, "uuid": "2e4139f0-f2b7-4507-a7f9-0ae48c1c2796", "value": "Daolpu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkbit", "https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel", "https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/", "https://twitter.com/luc4m/status/1626535098039271425", "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md" ], "synonyms": [], "type": [] }, "uuid": "abf5436b-23e4-4dec-8c98-0e95a499be78", "value": "DarkBit" }, { "description": "Stealer is written in Visual Basic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud", "https://asec.ahnlab.com/en/53128/", "https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/" ], "synonyms": [], "type": [] }, "uuid": "43601d72-1df5-4d95-8cdc-ad9754aa5d72", "value": "DarkCloud Stealer" }, { "description": "DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet", "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", "https://content.fireeye.com/apt/rpt-apt38", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", "https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf", "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" ], "synonyms": [ "Breut", "Fynloski", "klovbot" ], "type": [] }, "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", "value": "DarkComet" }, { "description": "Mandiant associates this with UNC4191, this malware spreads to removable drives.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkdew", "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia" ], "synonyms": [], "type": [] }, "uuid": "16d9f98d-4da6-419d-89f7-8c30418255ae", "value": "DARKDEW" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkeye", "https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed" ], "synonyms": [], "type": [] }, "uuid": "ccbc93b4-fd7a-4926-88f3-bcf5a1c530a5", "value": "DarkEye" }, { "description": "First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "https://decoded.avast.io/janrubin/meh-2-2/", "https://blog.talosintelligence.com/darkgate-remote-template-injection/", "https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates", "https://www.trellix.com/about/newsroom/stories/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/", "https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams", "https://embeeresearch.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/", "https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md", "https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/", "https://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/", "https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html", "https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html", "https://www.logpoint.com/en/blog/inside-darkgate/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/", "https://x.com/embee_research/status/1736758775326146778", "https://infosec.exchange/@spamhaus/113402246487904714", "https://blog.sekoia.io/darkgate-internals/", "https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606", "https://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py", "https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response", "https://www.netskope.com/jp/blog/new-darkgate-variant-uses-a-new-loading-approach", "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/", "https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors", "https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html", "https://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/", "https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/", "https://decoded.avast.io/janrubin/complex-obfuscation-meh/", "https://www.esentire.com/blog/from-darkgate-to-danabot", "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", "https://kienmanowar.wordpress.com/2024/06/06/quicknote-darkgate-make-autoit-great-again/", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs", "https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/", "https://medium.com/@DCSO_CyTec/shortandmalicious-darkgate-d9102a457232", "https://www.kroll.com/en/insights/publications/cyber/brute-forcing-darkgate-encodings", "https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/", "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" ], "synonyms": [ "Meh", "MehCrypter" ], "type": [] }, "uuid": "977ef666-33b7-41d4-9d98-15ab0d16bede", "value": "DarkGate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkirc", "https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability" ], "synonyms": [], "type": [] }, "uuid": "8258311c-0d64-4c6b-ab94-915e2cc267f0", "value": "DarkIRC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkloader", "https://twitter.com/3xp0rtblog/status/1459081435361517585" ], "synonyms": [], "type": [] }, "uuid": "269be5a3-471c-4a4b-a5d7-97ce75579213", "value": "DarkLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkme", "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "http://blog.nsfocus.net/darkcasino-apt-evilnum/" ], "synonyms": [], "type": [] }, "uuid": "1dda5df9-5c92-44a4-b1c7-a09b71bc1553", "value": "DarkMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html", "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html" ], "synonyms": [], "type": [] }, "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", "value": "DarkMegi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html", "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml", "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html" ], "synonyms": [ "Chymine" ], "type": [] }, "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", "value": "Darkmoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpink", "https://www.group-ib.com/media-center/press-releases/dark-pink-apt/" ], "synonyms": [], "type": [] }, "uuid": "f3522624-a704-4d74-8c21-1c863ab6d5eb", "value": "DarkPink" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] }, "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", "value": "DarkPulsar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat", "https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md", "https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel" ], "synonyms": [], "type": [] }, "uuid": "bcff979f-2b4b-41cc-86c9-fe1ea3adce6e", "value": "DarkRat" }, { "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/" ], "synonyms": [], "type": [] }, "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", "value": "DarkShell" }, { "description": "FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside", "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", "https://www.secjuice.com/blue-team-detection-darkside-ransomware/", "https://www.secureworks.com/research/threat-profiles/gold-waterfall", "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html", "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/", "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", "https://zawadidone.nl/darkside-ransomware-analysis/", "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/", "https://twitter.com/GelosSnake/status/1451465959894667275", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/", "https://www.databreaches.net/a-chat-with-darkside/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", "https://twitter.com/ValthekOn/status/1422385890467491841?s=20", "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", "https://www.youtube.com/watch?v=NIiEcOryLpI", "https://blog.group-ib.com/blackmatter#", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://community.riskiq.com/article/fdf74f23", "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions", "https://unit42.paloaltonetworks.com/darkside-ransomware/", "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.glimps.fr/lockbit3-0/", "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html", "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/", "https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/", "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom", "https://brandefense.io/darkside-ransomware-analysis-report/", "https://us-cert.cisa.gov/ncas/alerts/aa21-131a", "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/", "https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution", "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", "https://www.varonis.com/blog/darkside-ransomware/", "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/", "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", "https://www.mandiant.com/resources/burrowing-your-way-into-vpns", "https://twitter.com/embee_research/status/1678631524374020098?s=46", "https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", "https://twitter.com/sysopfb/status/1422280887274639375", "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", "http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/", "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/", "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/", "https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html", "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a", "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack", "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware", "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html", "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/", "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html", "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", "https://blog.group-ib.com/blackmatter2", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://www.acronis.com/en-us/articles/darkside-ransomware/", "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", "https://asec.ahnlab.com/en/34549/", "https://www.youtube.com/watch?v=qxPXxWMI2i4", "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/", "https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/", "https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside", "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/", "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/" ], "synonyms": [ "BlackMatter" ], "type": [] }, "uuid": "625bcba0-faab-468e-b5ab-61116cb1b5cf", "value": "DarkSide (Windows)" }, { "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", "http://telegra.ph/Analiz-botneta-DarkSky-12-30", "https://blog.radware.com/security/2018/02/darksky-botnet/" ], "synonyms": [], "type": [] }, "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", "value": "Darksky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" ], "synonyms": [], "type": [] }, "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", "value": "DarkStRat" }, { "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", "https://securelist.com/dark-tequila-anejo/87528/" ], "synonyms": [], "type": [] }, "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", "value": "DarkTequila" }, { "description": "DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver \"addon packages\" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.\r\n\r\nFrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla", "https://www.secureworks.com/research/darktortilla-malware-analysis" ], "synonyms": [], "type": [] }, "uuid": "fa08ee9c-d0e8-4c49-8a4d-af8e36206219", "value": "DarkTortilla" }, { "description": "According to PCrisk, DarkTrack is a malicious program classified as a Remote Access Trojan (RAT). This type of malware enables remote access and control over an infected device. The level of control these programs have varies, however, some can allow user-level manipulation of the affected machine.\r\n\r\nThe functionalities of RATs likewise varies and so does the scope of potential misuse. DarkTrack has a broad range of functions/capabilities, which make this Trojan a highly-dangerous piece of software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", "https://www.facebook.com/darktrackrat/", "https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1", "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html", "https://www.tgsoft.it/files/report/download.asp?id=7481257469" ], "synonyms": [], "type": [] }, "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", "value": "Darktrack RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvision_rat", "https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat" ], "synonyms": [], "type": [] }, "uuid": "a3fbf190-c562-4af0-8d9a-4a610b7a15e4", "value": "DarkVision RAT" }, { "description": "According to Enigmasoft, DarkVNC malware is a hacking tool that is available for purchase online. it is can be used as a Virtual Network Computing service, which means that the attackers can get full access to the targeted system via this malware. However, unlike a genuine Virtual Network Computing utility, the DarkVNC threat operates in the background silently. Therefore, it is highly likely that the victims may not notice that their systems have been compromised.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc", "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884", "https://isc.sans.edu/diary/rss/28934", "https://reaqta.com/2017/11/short-journey-darkvnc/" ], "synonyms": [], "type": [] }, "uuid": "302b2b26-9833-4da7-94f5-a7bd152ad40c", "value": "DarkVNC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", "https://www.secureworks.com/research/threat-profiles/bronze-butler", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" ], "synonyms": [ "Muirim", "Nioupale" ], "type": [] }, "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", "value": "Daserf" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator", "https://blog.reversinglabs.com/blog/data-exfiltrator" ], "synonyms": [ "FileSender" ], "type": [] }, "uuid": "96d727c3-bac6-4c7e-8868-b7237df55ecd", "value": "DataExfiltrator" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", "https://www.macnica.net/mpressioncss/feature_05.html/", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [], "type": [] }, "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", "value": "Datper" }, { "description": "Symantec describes this as a malware written as Windows kernel driver, used by China-linked threat actors. The malware has a custom TCP/IP stack and is capable of hijacking connections.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daxin", "https://twitter.com/M_haggis/status/1498399791276912640", "https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6", "https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/", "https://teamt5.org/tw/posts/backdoor-of-driver-analysis-Daxin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis", "https://www.nzz.ch/technologie/china-soll-mit-praezedenzloser-malware-regierungen-ausspioniert-haben-ld.1672292", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "synonyms": [ "DELIMEAT" ], "type": [] }, "uuid": "63bf3200-5e7b-4e29-ba1c-6bf834c15459", "value": "Daxin" }, { "description": "This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", "https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm", "https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/", "https://blog.vincss.net/re016-malware-analysis-modiloader/", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896", "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses", "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/", "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands", "https://securityintelligence.com/posts/email-campaigns-leverage-updated-dbatloader-deliver-rats-stealers/", "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html" ], "synonyms": [ "ModiLoader", "NatsoLoader" ], "type": [] }, "uuid": "17e0756b-6cc6-4c25-825c-5fd85c236218", "value": "DBatLoader" }, { "description": "This malware uses DropBox as C&C channel.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dboxagent", "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf" ], "synonyms": [], "type": [] }, "uuid": "407002c1-1781-4d1c-90bb-3d859f5c2943", "value": "DBoxAgent" }, { "description": "Ransomware written in .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcdcrypt", "https://labs.k7computing.com/index.php/dcdcrypt-ransomware-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "6192f006-e1ba-47cb-b388-af82e4435a51", "value": "DcDcrypt" }, { "description": "DCRat is a typical RAT that has been around since at least June 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://github.com/jeFF0Falltrades/rat_king_parser", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://community.riskiq.com/article/50c77491", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://cert.gov.ua/article/6279561", "https://embee-research.ghost.io/dcrat-manual-de-obfuscation/", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html", "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html", "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://www.infinitumit.com.tr/dcrat-malware-analiz-raporu/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://cert.gov.ua/article/160530", "https://cert.gov.ua/article/405538", "https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/", "https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/", "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://www.youtube.com/watch?v=ElqmQDySy48", "https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time", "https://embeeresearch.io/dcrat-manual-de-obfuscation/", "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/", "https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://muha2xmad.github.io/malware-analysis/dcrat/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://axmahr.github.io/posts/asyncrat-detection/" ], "synonyms": [ "DarkCrystal RAT" ], "type": [] }, "uuid": "b32ffb50-8ef1-4c78-a71a-bb23089b4de6", "value": "DCRat" }, { "description": "A ransomware as used by MosesStaff, built around the DiskCryptor tool.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcsrv", "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" ], "synonyms": [ "DCrSrv" ], "type": [] }, "uuid": "7b2609aa-fc3f-4693-a3f1-da4cac77490c", "value": "DCSrv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "78796a09-cac4-47fc-9e31-9f2ff5b8e377", "value": "DDKeylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://unit42.paloaltonetworks.com/atoms/rancortaurus/", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/" ], "synonyms": [], "type": [] }, "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", "value": "DDKONG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deadwood", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/", "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf" ], "synonyms": [ "Agrius", "DETBOSIT", "SQLShred" ], "type": [] }, "uuid": "b3ce3d4d-f115-4bd0-8d30-2b63e060b286", "value": "DEADWOOD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dealply", "https://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/", "https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/", "https://securelist.com/threat-in-your-browser-extensions/107181" ], "synonyms": [], "type": [] }, "uuid": "4f32b912-59a9-4dae-9118-28d78e01fbfc", "value": "DealPly" }, { "description": "According to PCrisk, DearCry ransomware has been observed infecting systems via ProxyLogon vulnerabilities of Microsoft Exchange servers - mail and calendaring servers developed by Microsoft. While a patch has been released addressing these vulnerabilities, thousands of Microsoft Exchange servers remained unpatched at the time of research.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dearcry", "https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b", "https://www.youtube.com/watch?v=qmCjtigVVR0", "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/", "https://www.youtube.com/watch?v=Hhx9Q2i7zGo", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.youtube.com/watch?v=MRTdGUy1lfw", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s" ], "synonyms": [ "DoejoCrypt" ], "type": [] }, "uuid": "793f0f9d-fc1c-43e1-9010-2052a1cf696d", "value": "dearcry" }, { "description": "Also known as Wacatac ransomware due to its .wctc extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom", "https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html", "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html", "https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md", "https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html", "https://blog.cyber5w.com/the-most-known-unpacking-technique", "https://twitter.com/Amigo_A_/status/1196898012645220354", "https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html", "https://asec.ahnlab.com/1269" ], "synonyms": [ "deathransom", "wacatac" ], "type": [] }, "uuid": "2bc6623a-d7d6-48fc-af79-647648f455aa", "value": "DeathRansom" }, { "description": "Ransomware written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf", "https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance" ], "synonyms": [], "type": [] }, "uuid": "c70e97ea-73bb-4342-a8cd-6cbe0e589bec", "value": "DECAF" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" ], "synonyms": [], "type": [] }, "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", "value": "Decebal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deepcreep", "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/", "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" ], "synonyms": [], "type": [] }, "uuid": "a29e21f9-b193-4369-8351-95860d56de03", "value": "DeepCreep" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deep_rat", "https://twitter.com/benkow_/status/1415797114794397701" ], "synonyms": [], "type": [] }, "uuid": "355ace5a-ae57-45b8-b49d-e3286c4c18cc", "value": "DeepRAT" }, { "description": "Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.\r\n\r\nThe distribution of Defray has several notable characteristics:\r\nAccording to Proofpoint:\r\n\"\r\nDefray is currently being spread via Microsoft Word document attachments in email\r\nThe campaigns are as small as several messages each\r\nThe lures are custom crafted to appeal to the intended set of potential victims\r\nThe recipients are individuals or distribution lists, e.g., group@ and websupport@\r\nGeographic targeting is in the UK and US\r\nVertical targeting varies by campaign and is narrow and selective\r\n\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray", "https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals", "https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/" ], "synonyms": [ "Glushkov" ], "type": [] }, "uuid": "bbc6dbe3-0ade-4b80-a1cb-c19e23ea8b88", "value": "Defray" }, { "description": "Described by Elastic as being associated with win.jupyter, and being used in the context of initial access, persistence, and C&C capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos", "https://www.elastic.co/blog/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f" ], "synonyms": [], "type": [] }, "uuid": "e369e45e-0e92-4811-822e-5e598285465e", "value": "Deimos" }, { "description": "Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos_c2", "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", "https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html", "https://censys.com/russian-ransomware-c2-network-discovered-in-censys-data/" ], "synonyms": [], "type": [] }, "uuid": "1f1a894f-7a1b-4b98-9280-d33cf884a539", "value": "DeimosC2" }, { "description": "According to CERT-UA, this malware makes use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking. Its specificity is the presence of a server part, which is usually installed on compromised MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool), effectively turning a legitimate server into a malware control center.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.delivery_check", "https://cert.gov.ua/article/5213167", "https://twitter.com/msftsecintel/status/1681695399084539908" ], "synonyms": [ "CAPIBAR", "GAMEDAY" ], "type": [] }, "uuid": "73ef709e-c88d-4737-a3fb-81d7ece5c97d", "value": "DeliveryCheck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas" ], "synonyms": [], "type": [] }, "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", "value": "Delta(Alfa,Bravo, ...)" }, { "description": "Rust-based infostealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer", "https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html" ], "synonyms": [], "type": [] }, "uuid": "3b38cd03-a387-43ce-b8d9-c337d51a84d0", "value": "DeltaStealer" }, { "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" ], "synonyms": [], "type": [] }, "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", "value": "Dented" }, { "description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon", "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/" ], "synonyms": [], "type": [] }, "uuid": "17429ed4-6106-4a28-9a76-f19cd476d94b", "value": "Deprimon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "synonyms": [], "type": [] }, "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", "value": "DeputyDog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", "https://twitter.com/struppigel/status/812601286088597505" ], "synonyms": [], "type": [] }, "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", "value": "DeriaLock" }, { "description": "DeroHE is a ransomware that was spread to users after IObit, a Windows utility developer, was hacked. The malware is delivered a DLL that is sideloaded by a legitimate, signed IObit License Manager application.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe", "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/" ], "synonyms": [], "type": [] }, "uuid": "d348373e-df43-4916-ac23-4f6e344c59e1", "value": "DeroHE" }, { "description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://attack.mitre.org/groups/G0096", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", "https://www.youtube.com/watch?v=YCwyc6SctYs", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf", "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://attack.mitre.org/groups/G0001/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/" ], "synonyms": [ "PHOTO" ], "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", "value": "Derusbi (Windows)" }, { "description": "According to Microsoft, this was used in a limited destructive malware attack in early March 2022 impacting a single Ukrainian entity. DesertBlade is responsible for iteratively overwriting and then deleting overwritten files on all accessible drives (sparing the system if it is a domain controller).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.desertblade", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/" ], "synonyms": [], "type": [] }, "uuid": "9a23d11d-1a32-47c8-a35e-accb88a2a370", "value": "DesertBlade" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" ], "synonyms": [], "type": [] }, "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", "value": "Devil's Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.devopt", "https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal" ], "synonyms": [], "type": [] }, "uuid": "7d7a870d-725f-4ea3-b344-9c1ad0500618", "value": "DevOpt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia", "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf" ], "synonyms": [ "CONIME" ], "type": [] }, "uuid": "4792fe0d-5c2f-44b1-861a-4b0501ccd335", "value": "Dexbia" }, { "description": "Dexphot is a cryptominer Malware attacking windows machines to gain profit from their resources. It implements many techniques to evade common security systems and a file-less technology to become inject malicious behavior. According to Microsoft the Dexphot It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot is equipped by monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexphot", "https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/" ], "synonyms": [], "type": [] }, "uuid": "b9f6de53-13b3-4246-96d5-010851c75bdb", "value": "Dexphot" }, { "description": "Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" ], "synonyms": [ "LusyPOS" ], "type": [] }, "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", "value": "Dexter" }, { "description": "According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.\r\n\r\nOnce they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://twitter.com/JakubKroustek/status/1087808550309675009", "https://securelist.com/cis-ransomware/104452/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.group-ib.com/media/iran-cybercriminals/", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/", "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/", "https://www.acronis.com/en-us/articles/Dharma-ransomware/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware", "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", "https://www.justice.gov/usao-dc/press-release/file/1021186/download", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://asec.ahnlab.com/en/54937/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", "https://s3.documentcloud.org/documents/6986753/Secret-Service-Seattle-NIT-Warrant-Application.pdf", "https://www.theregister.com/2019/11/11/dharma_decryption_promises_data_recovery/", "http://web.archive.org/web/20191008053714/http://esec-lab.sogeti.com/posts/2016/06/07/the-story-of-yet-another-ransomfailware.html", "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", "https://research.checkpoint.com/2018/the-ransomware-doctor-without-a-cure/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", "https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/" ], "synonyms": [ "Arena", "Crysis", "Wadhrama", "ncov" ], "type": [] }, "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", "value": "Dharma" }, { "description": "According to PCrisk, DiamondFox is highly modular malware offered as malware-as-a-service, and is for sale on various hacker forums. Therefore, cyber criminals who are willing to use DiamondFox do not necessarily require any technical knowledge to perform their attacks.\r\n\r\nOnce purchased, this malware can be used to log keystrokes, steal credentials (e.g., usernames, email addresses, passwords), hijack cryptocurrency wallets, perform distributed denial of service (DDoS) attacks, and to carry out other malicious tasks.\r\n\r\nDiamondFox allows cyber criminals to choose which plug-ins to keep activated and see infection statistics in real-time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", "https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", "https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced", "https://www.scmagazine.com/inside-diamondfox/article/578478/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "https://blog.cylance.com/a-study-in-bots-diamondfox" ], "synonyms": [ "Crystal", "Gorynch", "Gorynych" ], "type": [] }, "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", "value": "DiamondFox" }, { "description": "A ransomware with potential ties to Wizard Spider.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol", "https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday", "https://arcticwolf.com/resources/blog/karakurt-web", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/", "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", "https://www.ic3.gov/Media/News/2022/220120.pdf", "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/", "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/", "https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/", "https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/", "https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648", "https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922", "https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/", "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" ], "synonyms": [], "type": [] }, "uuid": "6fa944af-3def-437a-8a52-9234782b5bb8", "value": "Diavol" }, { "description": "A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.mandiant.com/resources/blog/evolution-of-fin7", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" ], "synonyms": [ "Lizar" ], "type": [] }, "uuid": "f8e7673a-c8dc-406a-851e-48756074b5c6", "value": "DICELOADER" }, { "description": "APT10's fork of the (open-source) Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "81c95462-62ba-4182-bba0-707e1f6cc1eb", "value": "DILLJUICE" }, { "description": "Downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilongtrash", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" ], "synonyms": [], "type": [] }, "uuid": "8d910ebf-131b-452c-8cc2-0226887259a0", "value": "DilongTrash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" ], "synonyms": [], "type": [] }, "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", "value": "Dimnie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dinodas_rat", "https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html", "https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/" ], "synonyms": [ "XDealer" ], "type": [] }, "uuid": "a8eaa325-3e89-41af-9de0-ae2c992148a5", "value": "DinodasRAT" }, { "description": "Downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dinotrain", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" ], "synonyms": [], "type": [] }, "uuid": "8f4c0f4a-4b3f-4bce-be08-fabf4ec45399", "value": "DinoTrain" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/" ], "synonyms": [], "type": [] }, "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dirtymoe", "https://decoded.avast.io/martinchlumecky/dirtymoe-3/", "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", "https://decoded.avast.io/martinchlumecky/dirtymoe-4/", "https://decoded.avast.io/martinchlumecky/dirtymoe-1/", "https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/", "https://decoded.avast.io/martinchlumecky/dirtymoe-5/" ], "synonyms": [], "type": [] }, "uuid": "9f324aaf-a54e-4532-bfc1-b23f1a77abbf", "value": "DirtyMoe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disk_knight", "https://www.lucadamico.dev/papers/malware_analysis/DiskKnight.pdf" ], "synonyms": [], "type": [] }, "uuid": "1e5d8ec2-e609-482d-93ef-8a0ab74b3da5", "value": "Disk Knight" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr", "https://twitter.com/r3c0nst/status/1232944566208286720", "https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/" ], "synonyms": [], "type": [] }, "uuid": "9e343fd7-3809-49af-9903-db7daeac339b", "value": "DispCashBR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs", "https://twitter.com/cyb3rops/status/1101138784933085191" ], "synonyms": [], "type": [] }, "uuid": "3bbf08fd-f147-4b23-9d48-a53ac836bc05", "value": "DispenserXFS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/", "https://content.fireeye.com/m-trends/rpt-m-trends-2017", "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://securelist.com/shamoon-the-wiper-copycats-at-work/", "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", "https://malwareindepth.com/shamoon-2012/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware" ], "synonyms": [ "Shamoon" ], "type": [] }, "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", "value": "DistTrack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent", "https://www.cert-pa.it/notizie/devergent-malware-fileless/", "https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/", "https://blog.talosintelligence.com/2019/09/divergent-analysis.html", "https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf" ], "synonyms": [ "Novter" ], "type": [] }, "uuid": "7ca1e2ad-6cf4-44cc-8559-2f71e4fb2801", "value": "Divergent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diztakun", "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [], "type": [] }, "uuid": "5e73185c-6070-45ed-88de-ed75580582eb", "value": "Diztakun" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dizzyvoid", "https://vblocalhost.com/uploads/2021/09/VB2021-12.pdf" ], "synonyms": [ "Errorroot" ], "type": [] }, "uuid": "ca45c584-bce5-4b8b-87df-a2919128db55", "value": "Dizzyvoid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dlrat", "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/" ], "synonyms": [], "type": [] }, "uuid": "b3f0f3a8-a50e-457b-a5dc-e17110ccac2f", "value": "DLRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" ], "synonyms": [], "type": [] }, "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", "value": "DMA Locker" }, { "description": "DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff", "https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d", "https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/" ], "synonyms": [], "type": [] }, "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", "value": "DMSniff" }, { "description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy", "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html" ], "synonyms": [], "type": [] }, "uuid": "7c35d10d-b3da-459e-a272-da2ea7cee4c2", "value": "DneSpy " }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger", "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/" ], "synonyms": [], "type": [] }, "uuid": "92db05a0-7d7e-40c3-94c8-ce3cd5e36daa", "value": "DNSChanger" }, { "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/" ], "synonyms": [ "TEXTMATE" ], "type": [] }, "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", "value": "DNSMessenger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/", "https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-dns-record-manipulation-at-scale", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", "https://marcoramilli.com/2019/04/23/apt34-webmask-project/", "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", "https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Mercer-Rascagneres.pdf", "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://www.us-cert.gov/ncas/alerts/AA19-024A", "https://www.youtube.com/watch?v=ws1k44ZhJ3g", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "synonyms": [ "Agent Drable", "AgentDrable", "Webmask" ], "type": [] }, "uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438", "value": "DNSpionage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnwipe", "https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html" ], "synonyms": [], "type": [] }, "uuid": "0f6c16ec-e15c-480b-a5d3-cf5efe71821a", "value": "dnWipe" }, { "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" ], "synonyms": [ "Shelma" ], "type": [] }, "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", "value": "DogHousePower" }, { "description": "Since late February 2023, Minodo Backdoor campaigns have been employed to deliver either the Project Nemesis information stealer or more sophisticated backdoors like Cobalt Strike. This backdoor collects basic system information, which it then transmits to the C2 server. In return, it receives an AES-encrypted payload. Notably, the Minodo Backdoor is designed to contact a different C2 address for domain-joined systems. This suggests that more capable backdoors, such as Cobalt Strike, are downloaded on higher-value targets instead of Project Nemesis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.domino", "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/", "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor" ], "synonyms": [], "type": [] }, "uuid": "37169b2f-344e-4913-ab91-d447d597ffa7", "value": "Minodo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.donex", "https://dissect.ing/posts/donex-pt2/", "https://dissect.ing/posts/donex/", "https://isc.sans.edu/diary/rss/30812", "https://www.shadowstackre.com/analysis/donex" ], "synonyms": [], "type": [] }, "uuid": "2dcf3b68-9dd0-4e49-86ba-39f05599033d", "value": "Donex" }, { "description": "Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.donot", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://labs.k7computing.com/index.php/the-donot-apt/", "https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed" ], "synonyms": [], "type": [] }, "uuid": "6d22d9e1-b38d-4a6f-a4bb-1121ced4adfc", "value": "DONOT" }, { "description": "Donut is an open-source in-memory injector/loader, designed for execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It was used during attacks against U.S. organisations according to Threat Hunter Team (Symantec) and U.S. Defence contractors (Unit42).\r\nGithub: https://github.com/TheWover/donut", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://st.drweb.com/static/new-www/news/2024/september/Study_of_a_targeted_attack_on_a_Russian_rail_freight_operator_en.pdf", "https://thewover.github.io/Introducing-Donut/" ], "synonyms": [ "Donut" ], "type": [] }, "uuid": "d713f337-b9c7-406d-88e4-3352b2523c73", "value": "donut_injector" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf", "https://hitcon.org/2023/CMT/slide/Unmasking%20CamoFei_An%20In-depth%20Analysis%20of%20an%20Emerging%20APT%20Group%20Focused%20on%20Healthcare%20Sectors%20in%20East%20Asia.pdf", "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/" ], "synonyms": [], "type": [] }, "uuid": "b91e1d34-cabd-404f-84d2-51a4f9840ffb", "value": "DoorMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doplugs", "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx", "https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf", "https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/", "https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html", "https://files.speakerdeck.com/presentations/6d01e26c85a444d0a3f888e45629635f/hodur_recon2024.pdf", "https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/" ], "synonyms": [], "type": [] }, "uuid": "def463e0-0664-46aa-9888-d92380a4eebc", "value": "DOPLUGS" }, { "description": "DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex", "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true", "https://cyber-anubis.github.io/malware%20analysis/dridex/", "https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/", "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware", "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/", "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://redcanary.com/blog/grief-ransomware/", "https://blogs.blackberry.com/en/2021/11/zebra2104", "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "b634a2ac-da01-43c0-b823-a235497a10a8", "value": "DoppelDridex" }, { "description": "Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \".how2decrypt.txt\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.ic3.gov/Media/News/2020/201215-1.pdf", "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://redcanary.com/blog/grief-ransomware/", "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://techcrunch.com/2020/03/01/visser-breach/", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", "https://twitter.com/vikas891/status/1385306823662587905", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/", "https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen" ], "synonyms": [ "Pay OR Grief" ], "type": [] }, "uuid": "16a76dcf-92cb-4371-8440-d6b3adbb081b", "value": "DoppelPaymer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/", "https://research.checkpoint.com/dorkbot-an-investigation/", "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html" ], "synonyms": [], "type": [] }, "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", "value": "NgrBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [], "type": [] }, "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", "value": "Dorshel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dosia", "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/", "https://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/", "https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/", "https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/", "https://viuleeenz.github.io/posts/2023/05/extracting-ddosia-targets-from-process-memory/", "https://www.team-cymru.com/post/a-blog-with-noname", "https://medium.com/@b42labs/data-insights-from-russian-cyber-militants-noname057-9f4db98f60e", "https://noname.be42late.co/" ], "synonyms": [ "DDOSIA" ], "type": [] }, "uuid": "eabd30ed-d2ec-43b5-b790-7381f93a3a03", "value": "Dosia" }, { "description": "According to Mandiant, DOSTEALER is a dataminer that mines browser login and cookie data. It is also capable of taking screenshots and logging keystrokes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dostealer", "https://www.mandiant.com/media/17826", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "3b4bf82d-5c57-4ea2-847d-f2fd292ba730", "value": "DOSTEALER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dot_ransomware", "https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html" ], "synonyms": [ "MZP Ransomware" ], "type": [] }, "uuid": "fc63c3ea-23ed-448d-9d66-3fb87ebea4ba", "value": "Dot Ransomware" }, { "description": "DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html" ], "synonyms": [], "type": [] }, "uuid": "1cda1810-f705-4d6b-9c9e-f509f8c7f5c5", "value": "DOUBLEBACK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy", "https://twitter.com/Int2e_/status/1294565186939092994", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/" ], "synonyms": [ "VALIDATOR" ], "type": [] }, "uuid": "46a523ca-be25-4f59-bc01-2c006c58bf80", "value": "DoubleFantasy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefinger", "https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/" ], "synonyms": [], "type": [] }, "uuid": "4f1e5142-0f62-48ee-a4a7-d8072fd78dcf", "value": "DoubleFinger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit", "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor" ], "synonyms": [], "type": [] }, "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", "value": "DoublePulsar" }, { "description": "A wiper identified by CERT-UA on March 17th, written in C#.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://cert.gov.ua/article/38088", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://securelist.com/new-ransomware-trends-in-2022/106457/", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://unit42.paloaltonetworks.com/doublezero-net-wiper/" ], "synonyms": [ "FiberLake" ], "type": [] }, "uuid": "7b4234ff-a7c2-4991-b4bf-6e13c57103cd", "value": "DoubleZero" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/" ], "synonyms": [ "DELPHACY" ], "type": [] }, "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", "value": "Downdelph" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" ], "synonyms": [], "type": [] }, "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", "value": "Downeks" }, { "description": "DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download\r\nand run a second stage. This malware has been observed in campaigns involving Charming Kitten, an Iranian cyberespionage group.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "http://www.clearskysec.com/charmingkitten/", "https://www.infinitumit.com.tr/apt-35/" ], "synonyms": [], "type": [] }, "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "value": "DownPaper" }, { "description": "Cyber Defense Institute stated that this shellcode PE loader was observed staging win.hemigate.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dracu_loader", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "5f5e0719-7e2d-4d99-ac60-e9728b58c373", "value": "DracuLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" ], "synonyms": [], "type": [] }, "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", "value": "DramNudge" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus", "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf" ], "synonyms": [ "ThreatNeedle" ], "type": [] }, "uuid": "1ff3afab-8b3f-4b9c-90c7-61062d2dfe0b", "value": "DRATzarus" }, { "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", "https://lokalhost.pl/gozi_tree.txt", "https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://community.riskiq.com/article/30f22a00" ], "synonyms": [], "type": [] }, "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", "value": "DreamBot" }, { "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://community.riskiq.com/article/2cd1c003", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://artik.blue/malware3", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", "https://estr3llas.github.io/unveiling-custom-packers-a-comprehensive-guide/", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://community.riskiq.com/article/e4fb7245", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.lexfo.fr/dridex-malware.html", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/", "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", "https://en.wikipedia.org/wiki/Maksim_Yakubets", "https://intel471.com/blog/privateloader-malware", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://home.treasury.gov/news/press-releases/sm845", "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://malwarebookreports.com/cryptone-cobalt-strike/", "https://twitter.com/TheDFIRReport/status/1356729371931860992", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", "https://www.atomicmatryoshka.com/post/malware-headliners-dridex", "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://www.youtube.com/watch?v=1VB15_HgUkg", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://twitter.com/Cryptolaemus1/status/1407135648528711680", "https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/", "https://viql.github.io/dridex/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", "https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/", "https://twitter.com/felixw3000/status/1382614469713530883?s=20", "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", "https://cyber-anubis.github.io/malware%20analysis/dridex/", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf", "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://assets.virustotal.com/reports/2021trends.pdf", "https://unit42.paloaltonetworks.com/travel-themed-phishing/", "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/", "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", "https://muha2xmad.github.io/unpacking/dridex/", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "value": "Dridex" }, { "description": "Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" ], "synonyms": [ "Spy.Agent.ORM", "Toshliph" ], "type": [] }, "uuid": "76f6f047-1362-4651-bd2f-9ca10c119e8d", "value": "DRIFTPIN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion", "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" ], "synonyms": [ "Masson" ], "type": [] }, "uuid": "a752676f-06c1-426c-9fcb-6c199afc74af", "value": "Dripion" }, { "description": "Communicates via Google Drive.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driveocean", "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf" ], "synonyms": [ "Google Drive RAT" ], "type": [] }, "uuid": "730a4e94-4f9b-4f34-a1f3-1c97d341332c", "value": "DriveOcean" }, { "description": "Drokbk stands out for its use of the GitHub platform as part of its C&C infrastructure. This makes it difficult to detect and remove, as GitHub is not traditionally associated with malicious activities.\r\n\r\nDrokbk attacks have been linked to the Iranian APT group Nemesis Kitten. This group is believed to use Drokbk for cyberespionage and financial information theft activities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.drokbk", "https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver", "https://www.esentire.com/blog/exploitation-of-vmware-horizon-servers-by-tunnelvision-threat-actor", "https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/" ], "synonyms": [], "type": [] }, "uuid": "b29c0d53-597d-41c9-a1d0-04dbaa4917f8", "value": "Drokbk" }, { "description": "DropBook is a backdoor developed by the Molerats group and first appeared in late 2020. The backdoor abuses Facebook and Dropbox platforms for C2 purposes, where fake Facebook accounts are used by the operators to control the backdoor by posting commands on the accounts. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" ], "synonyms": [], "type": [] }, "uuid": "8c142a72-0efb-4850-b684-bc6b5300f85e", "value": "DropBook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/" ], "synonyms": [], "type": [] }, "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", "value": "DROPSHOT" }, { "description": "Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group. \r\nIts core functionality includes operations to upload a file to the victim's computer, download a file from the victim's computer, dump disk volume data, persistence and more.\r\n\r\nA variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack", "https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://securelist.com/my-name-is-dtrack/93338/", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md", "https://securelist.com/dtrack-targeting-europe-latin-america/107798/", "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage", "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/", "https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://blog.macnica.net/blog/2020/11/dtrack.html", "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [ "Preft", "TroyRAT" ], "type": [] }, "uuid": "414f95e1-aabe-4aa9-b9be-53e0826f62c1", "value": "Dtrack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "440daef1-385d-42fd-a714-462590d4ce6b", "value": "DualToy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", "https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN", "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/", "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/" ], "synonyms": [], "type": [] }, "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", "value": "DarkHotel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", "https://github.com/ch0sys/DUBrute" ], "synonyms": [], "type": [] }, "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", "value": "DUBrute" }, { "description": "According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail", "https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/", "https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection", "https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://securelist.com/ducktail-fashion-week/111017/", "https://www.zscaler.com/blogs/security-research/look-ducktail", "https://www.f-secure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf", "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf", "https://yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/", "https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf", "https://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin" ], "synonyms": [], "type": [] }, "uuid": "9313d400-2b39-4c0f-a967-554b71a23e70", "value": "DUCKTAIL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" ], "synonyms": [], "type": [] }, "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", "value": "Dumador" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf", "https://docs.broadcom.com/doc/w32-duqu-11-en", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" ], "synonyms": [], "type": [] }, "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", "value": "DuQu" }, { "description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/", "https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html", "https://twitter.com/Irfan_Asrar/status/1213544175355908096", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [], "type": [] }, "uuid": "daa3d1e4-9265-4f1c-b1bd-9242ac570681", "value": "DUSTMAN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustpan", "https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1" ], "synonyms": [ "StealthVector" ], "type": [] }, "uuid": "c91fb5fa-e682-44c7-8782-70068cb68b24", "value": "DUSTPAN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dusttrap", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust?hl=en", "https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1" ], "synonyms": [ "CurveLoad", "DodgeBox", "StealthReacher" ], "type": [] }, "uuid": "cbe10c59-5a0f-4d21-abef-59f4fffe8292", "value": "DUSTTRAP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [ "Escad" ], "type": [] }, "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", "value": "Duuzer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack", "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://github.com/649/APT38-DYEPACK", "https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch", "https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks", "https://content.fireeye.com/apt/rpt-apt38", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://securelist.com/lazarus-under-the-hood/77908/" ], "synonyms": [ "BanSwift", "swift" ], "type": [] }, "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", "value": "DYEPACK" }, { "description": "Dynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dynamicstealer", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/" ], "synonyms": [], "type": [] }, "uuid": "b8b7b6e3-eef1-43cb-a251-e20a3e57d75e", "value": "DynamicStealer" }, { "description": "The Dyre Banking Trojan, discovered in June 2014, targets online banking websites for credential theft and fraud. It uses a man-in-the-browser approach, encryption, and spam emails for distribution. \r\n\r\nDyre's architecture includes a dropper and main DLL module, with techniques for persistence and evasion. Its command and control infrastructure is hidden through proxies, and it can adapt using a domain generation algorithm and I2P integration. Researchers have linked Dyre to the Gozi and Neverquest families. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", "https://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.secureworks.com/research/dyre-banking-trojan" ], "synonyms": [ "Dyreza" ], "type": [] }, "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, { "description": "According to Elastic, EagerBee loads additional capabilities using remotely-downloaded PE files, hosted in C2. However, its implementation and coding practices reveal a lack of advanced skills from the author, relying on basic techniques. During their research, they identified string formatting and underlying behavior that aligns with previous research attributed to a Chinese-speaking threat actor referred to as LuckyMouse (APT27, EmissaryPanda).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee", "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" ], "synonyms": [], "type": [] }, "uuid": "20615110-ec2a-4ead-a7e4-cadecf1fa6bc", "value": "EagerBee" }, { "description": "This RAT written in C# was derived from HorusEyesRat. It was modified by \"Arsium\" and published on GitHub. There is also a client builder included.\r\nGithub Source: https://github.com/arsium/EagleMonitorRAT", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagle_monitor_rat", "https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/" ], "synonyms": [], "type": [] }, "uuid": "c2839018-3e2a-44ac-9ad6-60dbc0973918", "value": "EagleMonitorRAT" }, { "description": "FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.\r\n\r\nExamples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case \"printwin.dll!gzwrite64\" (breaking the file signature).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight", "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://content.fireeye.com/api/pdfproxy?id=86840" ], "synonyms": [], "type": [] }, "uuid": "0277b1e5-ea2d-4dec-bbaa-13e25a2d1f1c", "value": "EASYNIGHT" }, { "description": "Easy Stealer is a new information stealer written in Golang that is under active development. Since July 2023, the information stealer has been sold on the underground market, advertising a variety of capabilities, such as the ability to target crypto wallets and passwords. Based on VirusTotal data, it appears that developer test samples were uploaded in June 2023. The panel for the stealer is installed on the buyer's own infrastructure, allowing for exclusive control. The stated pricing models are: $35 for 7 days, $115 for 30 days, and $250 for 90 days. Given its user-friendly panel design and the affordable price range, combined with similar capabilities to other information stealers, Easy Stealer is likely to see an increase in distribution among various cyber criminals as it continues through active development.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.easystealer", "https://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer" ], "synonyms": [], "type": [] }, "uuid": "200c9845-b1d0-4197-85df-b0a9cb78ef6e", "value": "Easy Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.echelon", "https://www.safeguardcyber.com/blog/security/echelon-malware-crypto-wallet-stealer-malware" ], "synonyms": [ "Echelon-Stealer" ], "type": [] }, "uuid": "e13ae741-a9fe-47f1-8016-e70c9fa7048e", "value": "Echelon" }, { "description": "EDA2 is a successor of HiddenTear. Just like HiddenTear it was developed as an open-source project by a security researcher and published on Github. It was meant as \"educational ransomware\" and purposefully had flaws in the encryption process that allow decryption of ransomed files.\r\n\r\nThis backfired, when threat actors began to modify HiddenTear and EDA2 source code. Some modifications introduced bugs where encrypted files were destroyed, others fixed the encryption flaws and made decryption without a key impossible.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", "https://twitter.com/JaromirHorejsi/status/815861135882780673", "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "https://utkusen.com/blog/im-sorry-for-hidden-tear-eda2", "https://www.bleepingcomputer.com/news/security/hidden-tear-ransomware-developer-blackmailed-by-malware-developers-using-his-code/", "https://github.com/utkusen/eda2" ], "synonyms": [], "type": [] }, "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", "value": "EDA2" }, { "description": "Trend Micro describes EDRSilencer as a red team tool originally designed to interfere with endpoint detection and response solutions via the Windows Filtering Platform, which is actively being used by threat actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.edr_silencer", "https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html" ], "synonyms": [], "type": [] }, "uuid": "55108ee8-79c9-4ba7-9725-ec97f0b5293b", "value": "EDRSilencer" }, { "description": "According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor", "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.justice.gov/opa/pr/foreign-national-pleads-guilty-role-cybercrime-schemes-involving-tens-millions-dollars", "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/", "https://twitter.com/redcanary/status/1334224861628039169", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia", "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/", "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", "https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/", "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/", "https://www.intrinsec.com/egregor-prolock/", "https://www.group-ib.com/blog/egregor", "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf", "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", "https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/", "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/" ], "synonyms": [], "type": [] }, "uuid": "cd84bc53-8684-4921-89c7-2cf49512bf61", "value": "Egregor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", "https://www.bitdefender.com/blog/labs/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/", "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", "value": "EHDevel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ekipa", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat/" ], "synonyms": [], "type": [] }, "uuid": "791a0902-7541-444a-a75e-19be97545917", "value": "Ekipa RAT" }, { "description": "The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish", "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "0f5a2ce1-b44f-4088-a4c0-04456a90c174", "value": "ELECTRICFISH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder", "https://www.clearskysec.com/iec/" ], "synonyms": [], "type": [] }, "uuid": "31b18d64-815c-4464-8fcc-f084953a75f5", "value": "ElectricPowder" }, { "description": "Elirks is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. Mostly attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. Multiple Elirks variants using Japanese blog services for the last couple of years.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", "https://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", "value": "Elirks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html", "https://www.secureworks.com/research/threat-profiles/bronze-elgin", "https://www.joesecurity.org/blog/8409877569366580427", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" ], "synonyms": [ "EVILNEST" ], "type": [] }, "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eliza_rat", "https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal" ], "synonyms": [], "type": [] }, "uuid": "c13fc723-0fd8-4e27-b1d7-a71976ad0268", "value": "ElizaRAT" }, { "description": "This dropper masquerades itself as Adobe software, titled as Adobe.msi. It is used to executes the python written Backdoor used by this threat actor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmachete_dropper_2022", "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "synonyms": [], "type": [] }, "uuid": "66b8cbdc-6190-4568-b615-0ae8a51d2148", "value": "El Machete APT Backdoor Dropper" }, { "description": "ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer", "https://attack.mitre.org/software/S0064", "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", "https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "https://attack.mitre.org/groups/G0023" ], "synonyms": [ "Elmost" ], "type": [] }, "uuid": "e0a8bb01-f0c8-4e2c-bd1e-4c84135ba834", "value": "ELMER" }, { "description": "Infostealer", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emansrepo", "https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains", "https://nikhilh-20.github.io/blog/emansrepo_deobfuscation/" ], "synonyms": [], "type": [] }, "uuid": "0be856c5-66ae-4ad7-bd8d-6794391d33f7", "value": "emansrepo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", "https://www.macnica.net/file/security_report_20160613.pdf", "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/" ], "synonyms": [], "type": [] }, "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", "value": "Emdivi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emissary", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" ], "synonyms": [], "type": [] }, "uuid": "a171f40a-85eb-4b64-af1d-8860a49b3b40", "value": "Emissary" }, { "description": "Orange Cyberdefense assesses that this loader is highly likely used by multiple financially motivated threat actors since at least February 2024 to deploy commodity RATs and infostealers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emmenhtal", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/", "https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide", "https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/", "https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution" ], "synonyms": [ "IDATDropper", "PEAKLIGHT" ], "type": [] }, "uuid": "24d6cedb-a11b-4383-bdb2-3c6c5dcf0e05", "value": "Emmenhtal" }, { "description": "While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.\r\nIt is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.\r\nEmotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://blog.lumen.com/emotet-redux/", "https://spamauditor.org/2020/10/the-many-faces-of-emotet/", "https://community.riskiq.com/article/2cd1c003", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure", "https://muha2xmad.github.io/unpacking/emotet-part-1/", "https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/", "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/", "https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates", "https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html", "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/", "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", "https://github.com/d00rt/emotet_research", "https://www.deepinstinct.com/blog/the-re-emergence-of-emotet", "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", "https://github.com/cecio/EMOTET-2020-Reversing", "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/", "https://www.youtube.com/watch?v=8PHCZdpNKrw", "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/", "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/", "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure", "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728", "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html", "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", "https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/", "https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://infosecwriteups.com/unpacking-emotet-trojan-dac7e6119a0a", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", "https://asec.ahnlab.com/en/33600/", "https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/", "https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/", "https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video", "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", "https://blog.threatlab.info/malware-analysis-emotet-infection/", "https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents", "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/", "https://www.gdatasoftware.com/blog/2022/01/malware-vaccines", "https://www.youtube.com/watch?v=q8of74upT_g", "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html", "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/", "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/", "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf", "https://persianov.net/emotet-malware-analysis-part-1", "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", "https://www.youtube.com/watch?v=cmJpRncrAp0", "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", "https://threatresearch.ext.hp.com/emotets-return-whats-different/", "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack", "https://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0", "https://www.hornetsecurity.com/en/security-information/emotet-is-back/", "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/", "https://unit42.paloaltonetworks.com/new-emotet-infection-method/", "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", "https://blog.talosintelligence.com/emotet-switches-to-onenote/", "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", "https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/", "https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html", "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://intezer.com/blog/research/how-hackers-use-binary-padding-to-outsmart-sandboxes/", "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", "https://www.zscaler.com/blogs/security-research/return-emotet-malware", "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", "https://experience.mandiant.com/trending-evil-2/p/1", "https://twitter.com/raashidbhatt/status/1237853549200936960", "https://shaddy43.github.io/MalwareAnalysisSeries/Emotet/", "https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return", "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html", "https://twitter.com/milkr3am/status/1354459859912192002", "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", "https://blogs.cisco.com/security/emotet-is-back", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/", "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html", "https://muha2xmad.github.io/unpacking/emotet-part-2/", "https://www.digitalshadows.com/blog-and-research/emotet-disruption/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", "https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak", "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/", "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.esentire.com/security-advisories/emotet-activity-identified", "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/", "https://twitter.com/eduardfir/status/1461856030292422659", "https://www.jpcert.or.jp/english/at/2019/at190044.html", "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/", "https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams", "https://blog.talosintelligence.com/2020/11/emotet-2020.html", "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", "https://securelist.com/the-chronicles-of-emotet/99660/", "https://www.youtube.com/watch?v=_mGMJFNJWSk", "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf", "https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure", "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html", "https://unit42.paloaltonetworks.com/emotet-command-and-control/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/", "https://www.lac.co.jp/lacwatch/alert/20211119_002801.html", "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/", "https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/", "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/", "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/", "https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one", "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", "https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/", "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff", "https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html", "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/", "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf", "https://www.youtube.com/watch?v=5_-oR_135ss", "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/", "https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf", "https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/", "https://www.secureworks.com/research/threat-profiles/gold-crestwood", "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612", "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/", "https://hatching.io/blog/powershell-analysis", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "http://ropgadget.com/posts/defensive_pcres.html", "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/", "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://blogs.vmware.com/security/2022/05/emotet-config-redux.html", "https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection", "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", "https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.cert.pl/en/news/single/whats-up-emotet/", "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", "https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "https://intel471.com/blog/emotet-takedown-2021/", "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", "https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://unit42.paloaltonetworks.com/emotet-thread-hijacking/", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", "https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html", "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html", "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de", "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5", "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware", "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf", "https://unit42.paloaltonetworks.com/c2-traffic/", "https://twitter.com/Cryptolaemus1/status/1516535343281025032", "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/", "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code", "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.hornetsecurity.com/en/threat-research/comeback-emotet/", "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", "https://persianov.net/emotet-malware-analysis-part-2", "https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/", "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/", "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", "https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/", "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/", "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/", "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/", "https://twitter.com/ContiLeaks/status/1498614197202079745", "https://feodotracker.abuse.ch/?filter=version_e", "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://isc.sans.edu/diary/28044", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/", "https://www.youtube.com/watch?v=AkZ5TYBqcU4", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://pl-v.github.io/plv/posts/Emotet-unpacking/", "https://www.bitsight.com/blog/emotet-botnet-rises-again", "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction", "https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/", "https://isc.sans.edu/diary/rss/27036", "https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html", "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/", "https://paste.cryptolaemus.com", "https://www.atomicmatryoshka.com/post/malware-headliners-emotet", "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", "https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html", "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://www.bitsight.com/blog/emotet-smb-spreader-back", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii", "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html", "https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/", "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", "https://www.youtube.com/watch?v=_BLOmClsSpc", "https://isc.sans.edu/diary/rss/28254", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://github.com/mauronz/binja-emotet", "https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection", "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb", "https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/", "https://d00rt.github.io/emotet_network_protocol/", "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/", "https://estr3llas.github.io/unpacking-an-emotet-trojan/", "https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion", "https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/", "https://securelist.com/emotet-modules-and-recent-attacks/106290/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://forensicitguy.github.io/emotet-excel4-macro-analysis/", "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", "https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures", "https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/", "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", "https://unit42.paloaltonetworks.com/domain-parking/", "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", "https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html", "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf" ], "synonyms": [ "Geodo", "Heodo" ], "type": [] }, "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", "value": "Emotet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://twitter.com/thor_scanner/status/992036762515050496", "https://www.mandiant.com/media/12596/download", "https://lab52.io/blog/wirte-group-attacking-the-middle-east/", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://attack.mitre.org/groups/G0096", "https://redcanary.com/blog/getsystem-offsec/", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://paper.seebug.org/1301/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html", "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://www.secureworks.com/research/threat-profiles/gold-ulrick" ], "synonyms": [], "type": [] }, "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", "value": "Empire Downloader" }, { "description": "Supposedly a worm that was active around 2012-2013.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emudbot", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp" ], "synonyms": [], "type": [] }, "uuid": "d3189268-443b-42f6-99a2-12d29f309c0b", "value": "Emudbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://attack.mitre.org/groups/G0011", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/", "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "Lurid" ], "type": [] }, "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "value": "Enfal" }, { "description": "According to Trend Micro, this is a downloader, dedicated to stage execution of a second stage malware called Enigma Stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enigma_loader", "https://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html" ], "synonyms": [], "type": [] }, "uuid": "7491f483-f3d2-4f90-be19-df1e3783f66f", "value": "Enigma Loader" }, { "description": "Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.entropy", "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen", "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728" ], "synonyms": [], "type": [] }, "uuid": "8dc64857-abb1-4926-8114-052f9ba4bc33", "value": "Entropy" }, { "description": "Fileless malware 'EntryShell', a variant of the KeyBoy malware, due to similarities in backdoor command IDs and debug messages with old KeyBoy samples. The embedded malware config was encrypted with a unique algorithm.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.entryshell", "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/" ], "synonyms": [], "type": [] }, "uuid": "73a0919b-1c81-4af5-a6d1-8fb5ae951269", "value": "EntryShell" }, { "description": "According to Microsoft, Enviserv is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enviserv", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Enviserv.A" ], "synonyms": [], "type": [] }, "uuid": "58071588-708d-447d-9fb4-8c9268142c82", "value": "Enviserv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.envyscout", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine", "https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/", "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/" ], "synonyms": [ "ROOTSAW" ], "type": [] }, "uuid": "0890e245-319d-4291-8f49-21dbc9486181", "value": "EnvyScout" }, { "description": "According to PCrisk, Epsilon is a ransomware-type program. This malware is designed to encrypt the data of infected systems in order to demand payment for decryption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red", "https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/", "https://news.sophos.com/en-us/2021/05/28/epsilonred/", "https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/" ], "synonyms": [ "BlackCocaine" ], "type": [] }, "uuid": "d6d0bf38-c85c-41d3-bc0e-3477b458563e", "value": "Epsilon Red" }, { "description": "Epsilon Stealer is an information stealer sold as Malware as a Service by a new french actor called \"Epsilon\". This malware is distributed as a game, mainly on discord, but steals user credentials, crypto wallets, and stored cookies. It evades static detection by being packed with NSIS, which then launches a malicious Electron package.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_stealer", "https://github.com/IWcommunityFR/Epsilon-Stealer" ], "synonyms": [], "type": [] }, "uuid": "c9babd08-0db1-4004-8664-d1be08cf1db6", "value": "Epsilon Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html", "https://mp.weixin.qq.com/s/3ZQhn32NB6p-LwndB2o2zQ", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/" ], "synonyms": [], "type": [] }, "uuid": "c4490972-3403-4043-9d61-899c0a440940", "value": "EquationDrug" }, { "description": "Rough collection EQGRP samples, to be sorted", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html", "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", "https://laanwj.github.io/2016/08/28/feintcloud.html", "https://laanwj.github.io/2016/09/11/buzzdirection.html", "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", "https://laanwj.github.io/2016/08/22/blatsting.html", "https://laanwj.github.io/2016/09/13/blatsting-rsa.html" ], "synonyms": [], "type": [] }, "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", "value": "Equationgroup (Sorting)" }, { "description": "Erbium is an information stealer advertised and sold as a Malware-as-a-Service on cybercrime forums and Telegram since at least July 2022. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer", "https://twitter.com/sekoia_io/status/1577222282929311744", "https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer", "https://twitter.com/abuse_ch/status/1565290110572175361", "https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/" ], "synonyms": [], "type": [] }, "uuid": "b566fe1f-7ed7-4932-b04d-355facdeab7a", "value": "Erbium Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" ], "synonyms": [], "type": [] }, "uuid": "06450729-fe60-4348-9717-c13a487738b9", "value": "Erebus (Windows)" }, { "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" ], "synonyms": [], "type": [] }, "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", "value": "Eredel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erica_ransomware", "https://www.dropbox.com/s/f4uulu2rhyj4leb/Girl.scr_malware_report.pdf?dl=0" ], "synonyms": [], "type": [] }, "uuid": "0f4731b3-b661-4677-9e51-474504313202", "value": "Erica Ransomware" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eris", "https://lekstu.ga/posts/go-under-the-hood-eris/" ], "synonyms": [], "type": [] }, "uuid": "c4531af6-ab25-4266-af41-e01635a93abe", "value": "Eris" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.especter", "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html", "https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/" ], "synonyms": [], "type": [] }, "uuid": "3e89d4e6-f7bd-44fd-ade9-c3d408ce67fb", "value": "ESPecter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks", "https://github.com/stamparm/EternalRocks", "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" ], "synonyms": [ "MicroBotMassiveNet" ], "type": [] }, "uuid": "10dd9c6a-9baa-40b6-984a-0598c4d9a88f", "value": "EternalRocks" }, { "description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", "https://securelist.com/from-blackenergy-to-expetr/78937/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", "https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/", "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", "https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://istari-global.com/spotlight/the-untold-story-of-notpetya/", "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", "https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/", "https://attack.mitre.org/groups/G0034", "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/", "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html", "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", "https://gvnshtn.com/maersk-me-notpetya/", "https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.riskiq.com/blog/labs/badrabbit/", "https://securelist.com/bad-rabbit-ransomware/82851/", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://securelist.com/schroedingers-petya/78870/", "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/", "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", "http://www.intezer.com/notpetya-returns-bad-rabbit/" ], "synonyms": [ "BadRabbit", "Diskcoder.C", "ExPetr", "NonPetya", "NotPetya", "Nyetya", "Petna", "Pnyetya", "nPetya" ], "type": [] }, "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "value": "EternalPetya" }, { "description": "This malware is part of the Eternity Malware \"Framework\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_clipper", "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group", "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/" ], "synonyms": [], "type": [] }, "uuid": "283928b7-2820-4230-a012-59302febff90", "value": "Eternity Clipper" }, { "description": "Eternity Framework Ransomware Payload", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_ransomware", "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/" ], "synonyms": [], "type": [] }, "uuid": "0554d721-71d7-49ff-965c-1512427b303e", "value": "Eternity Ransomware" }, { "description": "This Stealer is part of the eternity malware project.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_stealer", "https://blog.sekoia.io/eternityteam-a-new-prominent-threat-group-on-underground-forums/", "https://securityintelligence.com/news/eternity-gang-ransomware-as-a-service-telegram/", "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group", "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", "https://blog.morphisec.com/nft-malware-new-evasion-abilities", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", "https://blogs.blackberry.com/en/2022/06/threat-spotlight-eternity-project-maas-goes-on-and-on", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://twitter.com/3xp0rtblog/status/1509601846494695438", "https://ke-la.com/information-stealers-a-new-landscape/" ], "synonyms": [], "type": [] }, "uuid": "94bf44d8-3eb3-42b0-b906-102f2b8548f5", "value": "Eternity Stealer" }, { "description": "This malware is part of the Eternity Malware \"Framework\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_worm", "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/" ], "synonyms": [], "type": [] }, "uuid": "9bdffa86-2bed-4d9d-8697-5d70e62015dc", "value": "Eternity Worm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", "https://www.secureworks.com/research/threat-profiles/bronze-globe", "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "synonyms": [ "HighTide" ], "type": [] }, "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", "value": "EtumBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", "https://web.archive.org/web/20150310155151/http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" ], "synonyms": [], "type": [] }, "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", "value": "Evilbunny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilextractor", "https://www.netresec.com/?page=Blog&month=2023-04&post=EvilExtractor-Network-Forensics", "https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer" ], "synonyms": [], "type": [] }, "uuid": "e020212b-03ef-4168-97f5-bb72ff627d94", "value": "EvilExtractor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn" ], "synonyms": [ "Vidgrab" ], "type": [] }, "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "value": "EvilGrab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", "https://docs.broadcom.com/doc/ransom-and-malware-attacks-on-financial-services-institutions", "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", "https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] }, "uuid": "da922c36-ca13-4ea2-a22d-471e91ddac93", "value": "EVILNUM (Windows)" }, { "description": "A wiper used against in an attack against Iran’s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilplayout", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/" ], "synonyms": [], "type": [] }, "uuid": "a90a1c08-00ea-49ad-8f79-9a4461fce48e", "value": "EvilPlayout" }, { "description": "Privately modded version of the Pony stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/" ], "synonyms": [ "CREstealer" ], "type": [] }, "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", "value": "EvilPony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" ], "synonyms": [], "type": [] }, "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", "value": "Evrial" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.wired.com/story/sandworm-centreon-russia-hack/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://attack.mitre.org/groups/G0034" ], "synonyms": [], "type": [] }, "uuid": "dd68abd7-b20a-40a5-be53-ae8d45c1dd27", "value": "Exaramel (Windows)" }, { "description": "ExByte is a custom data exfiltration tool and infostealer observed being used during BlackByte ransomware attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exbyte", "https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware" ], "synonyms": [], "type": [] }, "uuid": "42f4fee9-a5c2-4643-be56-fba8700f835d", "value": "ExByte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" ], "synonyms": [ "Saber", "Sabresac" ], "type": [] }, "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", "value": "Excalibur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "74f8db32-799c-41e5-9815-6272908ede57", "value": "MS Exchange Tool" }, { "description": "ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat", "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" ], "synonyms": [], "type": [] }, "uuid": "c932a2f3-1470-4b0c-8412-2d081901277b", "value": "Exile RAT" }, { "description": "Exfiltration tool written in .NET, used by at least one BlackMatter ransomware operator.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter", "https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", "https://twitter.com/knight0x07/status/1461787168037240834?s=20", "https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool", "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack", "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up" ], "synonyms": [], "type": [] }, "uuid": "615e22f7-1b0e-44a0-a666-b95cb6b5e279", "value": "ExMatter" }, { "description": "According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.\r\n\r\nFor example, a file originally named \"1.jpg\" could appear as something similar to \"1.jpg.rnyZoV\" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - \"[random-string]-decrypt.hta\" (e.g. \"rnyZoV-decrypt.hta\") - into affected folders. These files contain identical ransom messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist", "https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81" ], "synonyms": [], "type": [] }, "uuid": "d742986c-04f0-48ef-aaa3-10eeb0e95be4", "value": "Exorcist" }, { "description": "Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee).\r\nExpiro \"infiltrates\" executables on 32- and 64bit Windows OS versions.\r\nIt has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials).\r\nThere is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro", "https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf", "https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro", "https://youtu.be/3RYbkORtFnk", "https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d" ], "synonyms": [ "Xpiro" ], "type": [] }, "uuid": "fd34b588-7b00-4924-827b-6118bece0af1", "value": "Expiro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.explosive_rat", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/" ], "synonyms": [], "type": [] }, "uuid": "d3600857-b941-4d47-81ef-02c168396518", "value": "ExplosiveRAT" }, { "description": "According to Trend MIcro, Extreme RAT (XTRAT, Xtreme Rat) is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.\r\n\r\nThis malware family of backdoors has the capability to receive commands such as File Management (Download, Upload, and Execute Files), Registry Management (Add, Delete, Query, and Modify Registry), Perform Shell Command, Computer Control (Shutdown, Log on/off), and Screen capture from a remote attacker. In addition, it can also log keystrokes of the infected systems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://blogs.360.cn/post/APT-C-44.html", "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", "https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/", "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1", "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", "https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "ExtRat" ], "type": [] }, "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", "value": "Xtreme RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", "http://blog.talosintel.com/2017/01/Eye-Pyramid.html", "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/" ], "synonyms": [], "type": [] }, "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", "value": "Eye Pyramid" }, { "description": "EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice", "https://www.epicturla.com/blog/the-lost-nazar", "https://blog.malwarelab.pl/posts/nazar_eyservice_comm/", "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://blog.malwarelab.pl/posts/nazar_eyservice/" ], "synonyms": [], "type": [] }, "uuid": "9b287426-e82f-407e-8d12-42dac4241bf8", "value": "EYService" }, { "description": "Fabookie is facebook account info stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fabookie", "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", "https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware" ], "synonyms": [], "type": [] }, "uuid": "782aa125-42ff-4ca0-b9b1-362aac08566b", "value": "Fabookie" }, { "description": "Malware written in .NET that mimics WannaCry.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakecry", "https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/" ], "synonyms": [], "type": [] }, "uuid": "c9ac3322-c176-444c-8d72-603430dca2d0", "value": "FakeCry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" ], "synonyms": [ "Braviax" ], "type": [] }, "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", "value": "FakeRean" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", "https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf", "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" ], "synonyms": [], "type": [] }, "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", "value": "FakeTC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/" ], "synonyms": [], "type": [] }, "uuid": "6eb3546c-cb8b-447c-81d1-9c4c1166581d", "value": "FakeWord" }, { "description": "FancyFilter is a piece of code that documents code overlap between frameworks used by Regin and Equation Group. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter", "https://www.epicturla.com/previous-works/hitb2020-voltron-sta" ], "synonyms": [ "0xFancyFilter" ], "type": [] }, "uuid": "e7d06257-2bc6-45b6-8728-080df9932f90", "value": "fancyfilter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/" ], "synonyms": [ "DEMENTIAWHEEL" ], "type": [] }, "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", "value": "Fanny" }, { "description": "According to PCrisk, Fantom is a ransomware-type virus that imitates the Windows update procedure while encrypting files. This is unusual, since most ransomware encrypts files stealthily without showing any activity. During encryption, Fantom appends the names of encrypted files with the \".locked4\", \".fantom\" or \".locked\" extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" ], "synonyms": [], "type": [] }, "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", "value": "FantomCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer", "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/" ], "synonyms": [], "type": [] }, "uuid": "f197b0a8-6bea-42ea-b57f-8f6f202f7602", "value": "Farseer" }, { "description": "FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations. \r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader" ], "synonyms": [], "type": [] }, "uuid": "21b86dbb-d000-449c-bfe4-41faede4bd89", "value": "FastLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", "https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568", "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/" ], "synonyms": [], "type": [] }, "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", "value": "FastPOS" }, { "description": "According to PCrisk, FatalRAT is the name of a Remote Access Trojan (RAT). A RAT is a type of malware that allows the attacker to remotely control the infected computer and use it for various purposes.\r\n\r\nTypically, RATs are used to access files and other data, watch computing activities on the screen and capture screenshots, steal sensitive information (e.g., login credentials, credit card details).\r\n\r\nThere are many legitimate remote administration/access tools on the Internet. It is common that cybercriminals use those tools with malicious intent too.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat", "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis", "https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape", "https://www.youtube.com/watch?v=gjvnVZc11Vg", "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html" ], "synonyms": [ "Sainbox RAT" ], "type": [] }, "uuid": "28697d08-27c0-47a9-bfd6-654cac4d55cc", "value": "FatalRat" }, { "description": "According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [], "type": [] }, "uuid": "4325c84b-9a9b-4e7c-977f-20d7ae817b7e", "value": "FatDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fauppod", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "synonyms": [], "type": [] }, "uuid": "e363918a-92ec-49c0-b3b2-1d339200417b", "value": "Fauppod" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fct", "https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "a4eb3f1f-2cc6-4a0f-9dd8-6ebc192ec0cd", "value": "FCT" }, { "description": "FDMTP is a newly discovered hacking tool developed in .NET, used by Earth Preta. It functions as a simple malware downloader and is based on the TouchSocket framework over the Duplex Message Transport Protocol (DMTP). In one campaign, threat actors embedded FDMTP in the data section of a DLL. This allows it to be launched through DLL side-loading. The embedded network configurations are encoded and encrypted to enhance security and evade detection, utilizing Base64 and DES encryption methods. It has been observed to serve as a secondary control tool, often deployed by the PUBLOAD backdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fdmtp", "https://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html" ], "synonyms": [], "type": [] }, "uuid": "61a023be-3f35-4340-8d4a-8ffd2a5e035e", "value": "FDMTP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.feed_load", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "a9cd466f-af46-48fa-906e-15cf27525c7f", "value": "FeedLoad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", "value": "Felismus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", "value": "Felixroot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fengine", "https://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt" ], "synonyms": [], "type": [] }, "uuid": "3087a4ed-1b6c-49f6-980f-59242825d2ee", "value": "fengine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fenix", "https://www.metabaseq.com/threat/fenix-botnet/", "https://dfir.ch/posts/botnex_fenix/" ], "synonyms": [], "type": [] }, "uuid": "e367f4e8-fcff-4a25-a7b9-095be2f797df", "value": "Fenix" }, { "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://feodotracker.abuse.ch/", "https://en.wikipedia.org/wiki/Maksim_Yakubets", "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html" ], "synonyms": [ "Bugat", "Cridex" ], "type": [] }, "uuid": "66781866-f064-467d-925d-5e5f290352f0", "value": "Feodo" }, { "description": "According to PCrisk, FFDroider is a malicious program classified as a stealer. It is designed to extract and exfiltrate sensitive data from infected devices. FFDroider targets popular social media and e-commerce platforms in particular.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ffdroider", "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html" ], "synonyms": [], "type": [] }, "uuid": "f557e98e-7e8c-450f-a2a2-abbe81a67a90", "value": "FFDroider" }, { "description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/", "https://twitter.com/3xp0rtblog/status/1321209656774135810", "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf" ], "synonyms": [], "type": [] }, "uuid": "6ad46852-24f3-4415-a4ab-57a52cd8a1cb", "value": "Ficker Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" ], "synonyms": [], "type": [] }, "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", "value": "FileIce" }, { "description": "Filerase is a .net API-based utility capable of propagating and recursively deleting files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail" ], "synonyms": [], "type": [] }, "uuid": "e5fbb536-4994-4bd5-b151-6d5e41ed9f5b", "value": "Filerase" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/" ], "synonyms": [], "type": [] }, "uuid": "87467366-679d-425c-8bea-b9f77c543252", "value": "Final1stSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", "https://blogs.cisco.com/security/talos/poseidon", "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [ "Poseidon" ], "type": [] }, "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", "value": "FindPOS" }, { "description": "FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", "https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization", "https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye", "https://github.com/RolfRolles/FinSpyVM", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://securelist.com/finspy-unseen-findings/104322/", "https://netzpolitik.org/2022/nach-pfaendung-staatstrojaner-hersteller-finfisher-ist-geschlossen-und-bleibt-es-auch/", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2", "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization" ], "synonyms": [ "FinSpy" ], "type": [] }, "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", "value": "FinFisher RAT" }, { "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finteam", "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" ], "synonyms": [ "TeamBot" ], "type": [] }, "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", "value": "FINTEAM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" ], "synonyms": [], "type": [] }, "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", "value": "Fireball" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firebird_rat", "https://twitter.com/casual_malware/status/1237775601035096064" ], "synonyms": [], "type": [] }, "uuid": "0d63d92b-6d4d-470d-9f13-acce0c76911c", "value": "FireBird RAT" }, { "description": "The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections).\r\nAccording to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili", "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html", "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits" ], "synonyms": [], "type": [] }, "uuid": "762ea155-1cec-4c67-9c4f-7e8f4c21e19e", "value": "Fire Chili" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" ], "synonyms": [], "type": [] }, "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", "value": "FireCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", "value": "FireMalv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", "https://twitter.com/JaromirHorejsi/status/815949909648150528" ], "synonyms": [], "type": [] }, "uuid": "1ab17959-6254-49af-af26-d34e87073e49", "value": "FirstRansom" }, { "description": "A custom loader for CobaltStrike.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster", "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/", "https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021" ], "synonyms": [ "JollyJellyfish" ], "type": [] }, "uuid": "dd73f0c7-3bc6-4dc9-a0b7-507490df2a84", "value": "FishMaster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", "https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/", "https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/", "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue" ], "synonyms": [ "Thieflock" ], "type": [] }, "uuid": "4d0dc7a3-07bf-4cb9-ba86-c7f154c6b678", "value": "FiveHands" }, { "description": "This malware family is mainly spread through various private server clients in bundles, and mainly tamper with user system network data packets through technical means such as TDI filtering, DNS hijacking, HTTP(s) injection, and HOSTS redirection, hijacking normal web page access to designated private server websites, and using security software cloud detection and killing data packet shielding, shutdown callback rewriting and other means to achieve counter-detection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fk_undead", "https://gslab.qq.com/article-663-1.html" ], "synonyms": [ "Undead" ], "type": [] }, "uuid": "97e332bf-e229-44e6-a48b-b5b45947a856", "value": "FK_Undead" }, { "description": "According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:\r\n\r\nDownload and execute a tool\r\nExecute OS commands and send results\r\nCollect and send Windows authentication information", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro", "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech", "https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro", "https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/", "https://vblocalhost.com/uploads/VB2021-50.pdf", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" ], "synonyms": [ "BUSYICE" ], "type": [] }, "uuid": "f6b10719-0f7a-45bc-9e47-1406b9966890", "value": "Flagpro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame", "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://github.com/juanandresgs/papers/raw/master/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf", "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.crysys.hu/publications/files/skywiper.pdf" ], "synonyms": [ "sKyWIper" ], "type": [] }, "uuid": "c40dbede-490f-4df4-a242-a2461e3cfc4e", "value": "Flame" }, { "description": " FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the\r\nremovable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information\r\nor contacts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood", "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "0ce7e94e-da65-43e4-86f0-9a0bb21d1118", "value": "FLASHFLOOD" }, { "description": "According to Intezer, this is a shellcode loader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flash_develop", "https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/" ], "synonyms": [], "type": [] }, "uuid": "36e0e97f-fb94-4224-83a9-83274f274fe9", "value": "FlashDevelop" }, { "description": "FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://habr.com/ru/company/pt/blog/475328/", "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", "https://attack.mitre.org/software/S0381/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/", "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.youtube.com/watch?v=N4f2e8Mygag", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", "value": "FlawedAmmyy" }, { "description": "According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.\r\n\r\nFlawedGrace uses a series of commands:\r\nFlawedGrace also uses a series of commands, provided below for reference:\r\n* desktop_stat\r\n* destroy_os\r\n* target_download\r\n* target_module_load\r\n* target_module_load_external\r\n* target_module_unload\r\n* target_passwords\r\n* target_rdp\r\n* target_reboot\r\n* target_remove\r\n* target_script\r\n* target_servers\r\n* target_update\r\n* target_upload\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", "https://web.archive.org/web/20221115161556/https://blog.codsec.com/posts/malware/gracewire_adventure/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/", "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace", "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.codsec.com/posts/malware/gracewire_adventure/", "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem", "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://twitter.com/MsftSecIntel/status/1273359829390655488", "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" ], "synonyms": [ "GraceWire" ], "type": [] }, "uuid": "ef591233-4246-414b-9fbd-46838f3e5da2", "value": "FlawedGrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "2431a1e5-4e64-454a-94c8-8a95f88d2d4a", "value": "FlexiSpy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", "http://adelmas.com/blog/flokibot.php", "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", "http://blog.talosintel.com/2016/12/flokibot-collab.html#more" ], "synonyms": [], "type": [] }, "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", "value": "FlokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.sstic.org/media/SSTIC2024/SSTIC-actes/la_retro-ingnierie_de_code_malveillant_dans_la_cti/SSTIC2024-Article-la_retro-ingnierie_de_code_malveillant_dans_la_cti_-_analyse_de_levolution_dune_chaine_dinfection-meslay.pdf", "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", "https://static.sstic.org/videos2024/1080p/la_retro-ingnierie_de_code_malveillant_dans_la_cti_-_analyse_de_levolution_dune_chaine_dinfection.mp4", "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/", "https://www.sstic.org/media/SSTIC2024/SSTIC-actes/la_retro-ingnierie_de_code_malveillant_dans_la_cti/SSTIC2024-Slides-la_retro-ingnierie_de_code_malveillant_dans_la_cti_-_analyse_de_levolution_dune_chaine_dinfection-meslay.pdf" ], "synonyms": [], "type": [] }, "uuid": "b018c5a7-ab70-4df0-b5aa-ceb1efd4b541", "value": "FlowCloud" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] }, "uuid": "0024c2d9-673f-4999-b240-4ae61a72c9b9", "value": "FlowerShop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library", "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [], "type": [] }, "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", "value": "Floxif" }, { "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" ], "synonyms": [], "type": [] }, "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", "value": "Flusihoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" ], "synonyms": [], "type": [] }, "uuid": "a6f4d003-abe5-46ed-9e71-555b067f4d5a", "value": "FlyingDutchman" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flystudio", "https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/" ], "synonyms": [], "type": [] }, "uuid": "19228908-ba8b-4718-86b3-209c7f1ae0bf", "value": "FlyStudio" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" ], "synonyms": [], "type": [] }, "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", "value": "Fobber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix", "https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/", "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/" ], "synonyms": [], "type": [] }, "uuid": "f8d501bc-cf5a-4e19-a7fa-fb0aac18cc63", "value": "FONIX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.forest_tiger", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "synonyms": [ "ScoringMathTea" ], "type": [] }, "uuid": "685106fc-05ba-4d3b-90c3-91486986c35d", "value": "ForestTiger" }, { "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", "https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://medium.com/@shaddy43/layers-of-deception-analyzing-the-complex-stages-of-xloader-4-3-malware-evolution-2dcb550b98d9", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view", "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware", "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882", "https://blog.netlab.360.com/purecrypter", "https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://0xmrmagnezi.github.io/malware%20analysis/FormBook/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", "https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://www.malware-traffic-analysis.net/2023/06/05/index.html", "https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43", "https://youtu.be/aQwnHIlGSBM", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/", "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/", "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html", "https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", "https://isc.sans.edu/diary/26806", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://cert.gov.ua/article/955924", "https://www.connectwise.com/resources/formbook-remcos-rat", "https://link.medium.com/uaBiIXgUU8", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/", "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/", "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/", "https://asec.ahnlab.com/en/32149/", "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/", "https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", "https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/", "https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer" ], "synonyms": [ "win.xloader" ], "type": [] }, "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", "value": "Formbook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", "https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html", "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies" ], "synonyms": [ "ffrat" ], "type": [] }, "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", "value": "FormerFirstRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fortunecrypt", "https://securelist.com/ransomware-two-pieces-of-good-news/93355/" ], "synonyms": [], "type": [] }, "uuid": "02caba7c-1820-40a3-94ae-dc89b5662b3e", "value": "FortuneCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.foxsocket", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html" ], "synonyms": [], "type": [] }, "uuid": "61b35242-0e16-4502-a909-f4fd5e32abcb", "value": "FoxSocket" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fpspy", "https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" ], "synonyms": [], "type": [] }, "uuid": "c3b865a8-6d2d-4ed4-a534-2db4d2e9a579", "value": "FPSpy" }, { "description": "A RAT employing Node.js, Sails, and Socket.IO to collect information on a target", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.frat", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md" ], "synonyms": [], "type": [] }, "uuid": "695f3381-302f-4fd0-b7a5-4e852291ce91", "value": "FRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" ], "synonyms": [ "SHUTTERSPEED" ], "type": [] }, "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", "value": "Freenki Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [ "BitPaymer", "DoppelPaymer", "IEncrypt" ], "type": [] }, "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", "value": "FriedEx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fs0ciety", "https://elastio.com/detectable-ransomware/fs0ciety-locker/" ], "synonyms": [], "type": [] }, "uuid": "1587112e-fb7f-411b-af04-0dd7484befd5", "value": "Fs0ciety" }, { "description": "FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule", "https://www.mandiant.com/resources/blog/lightshift-and-lightshow", "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", "https://asec.ahnlab.com/ko/40495/", "https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf", "https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/", "https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/", "https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/", "https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf", "https://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3", "https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/" ], "synonyms": [ "LIGHTSHOW" ], "type": [] }, "uuid": "49b53f39-3e13-48e7-a2e3-5e173af343b3", "value": "FudModule" }, { "description": "Fujinama is a custom VB info stealer capable to execute custom commands and custom exfiltrations, keylogging and screenshot. It was involved in the compromise of Leonardo SpA, a major Italian aerospace and defense company.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fujinama", "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa" ], "synonyms": [], "type": [] }, "uuid": "efd4ec64-ad22-424b-9b7a-d9060cc29d3b", "value": "win.fujinama" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.funnyswitch", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" ], "synonyms": [ "RouterGod" ], "type": [] }, "uuid": "58eb97d1-0c29-4596-bd4a-4590b28d988f", "value": "FunnySwitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf" ], "synonyms": [], "type": [] }, "uuid": "46417b64-928a-43cd-91a6-ecee4c6cd4a7", "value": "FunnyDream" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", "https://sentinelone.com/blogs/sfg-furtims-parent/" ], "synonyms": [], "type": [] }, "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", "value": "Furtim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fusiondrive", "https://www.youtube.com/watch?v=_qdCGgQlHJE" ], "synonyms": [], "type": [] }, "uuid": "5de632a3-bf82-4cef-90fa-e7199fdb932c", "value": "FusionDrive" }, { "description": "FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.\r\n\r\nIt contains two distinguishing hardcoded lists.\r\n\r\nFirst is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012). \r\n\r\nSecond is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.\r\n\r\nFuwuqiDrama stores its configuration in the INI file data\\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi – the romanized Chinese word for server.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" ], "synonyms": [], "type": [] }, "uuid": "9284445c-96a8-445d-8e9d-93a093ffbe63", "value": "FuwuqiDrama" }, { "description": "FuxSocy has some similarities to win.cerber but is tracked as its own family for now.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy", "http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/" ], "synonyms": [], "type": [] }, "uuid": "289b4ffd-d406-44b1-99d4-3406dfd24adb", "value": "FuxSocy" }, { "description": "According to ANY.RUN, the GaboonGrabber is a malware developed in .NET that grabs its embedded resources to prepare multiple fileless stages. Additionally, it has the tendency to camouflage itself as a legitimate application, going so far as to mimic legitimate applications in its decompiled code. It also includes a steganographic image used to prepare further payloads.\r\n\r\nGaboonGrabber's final stage can deploy various types of malware, including Snake Keylogger, AgentTesla, Redline, Lokibot, and more.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaboongrabber", "https://app.any.run/tasks/65855217-7209-4eae-a572-b030a2305b22/", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/" ], "synonyms": [], "type": [] }, "uuid": "455e4248-ba91-4bc9-8459-7d9c54d5dda6", "value": "GaboonGrabber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux", "https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader/" ], "synonyms": [], "type": [] }, "uuid": "551140ca-001b-49d8-aa06-82a5aebb02dd", "value": "Gacrux" }, { "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" ], "synonyms": [], "type": [] }, "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", "value": "GalaxyLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" ], "synonyms": [ "pios" ], "type": [] }, "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", "value": "gamapos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" ], "synonyms": [], "type": [] }, "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", "value": "Gameover DGA" }, { "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", "https://www.lawfareblog.com/what-point-these-nation-state-indictments", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.wired.com/?p=2171700", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf", "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "https://bin.re/blog/three-variants-of-murofets-dga/", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://nbviewer.org/github/tildedennis/zeusmuseum/blob/master/jupyter_notebooks/gameover/2014-05-28/Gameover%20version%202014-05-28.ipynb", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/" ], "synonyms": [ "GOZ", "Gameover ZeuS", "Mapp", "ZeuS P2P" ], "type": [] }, "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", "value": "Gameover P2P" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.game_player_framework", "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/", "https://www.youtube.com/watch?v=yVqALLtvkN8&t=8117s" ], "synonyms": [], "type": [] }, "uuid": "3efdc56a-793c-4fbb-99ea-a4d53899713a", "value": "GamePlayerFramework" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" ], "synonyms": [], "type": [] }, "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", "value": "Gamotrol" }, { "description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://isc.sans.edu/diary/23417", "https://vimeo.com/449849549", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.secureworks.com/research/threat-profiles/gold-garden", "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", "https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom", "https://asec.ahnlab.com/en/41450/", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "http://asec.ahnlab.com/1145", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/", "https://unit42.paloaltonetworks.com/revil-threat-actors/", "http://www.secureworks.com/research/threat-profiles/gold-garden", "https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/", "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind", "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/" ], "synonyms": [ "GrandCrab" ], "type": [] }, "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", "value": "Gandcrab" }, { "description": "A backdoor used by Mespinoza ransomware gang to maintain access to a compromised network.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gasket", "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "7ed854ba-c280-4d5b-9b84-c61dddd43f66", "value": "Gasket" }, { "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" ], "synonyms": [], "type": [] }, "uuid": "591b2882-65ba-4629-9008-51ed3467510a", "value": "Gaudox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf" ], "synonyms": [], "type": [] }, "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", "value": "Gauss" }, { "description": "Gazavat (which is often tagged as Expiro by AV vendors) is a multi-functional backdoor that has code overlaps with the POS malware DMSniff. Functionality includes:\r\n- Loading other executables\r\n- Load hash cracking plugin\r\n- Load DMSniff plugin\r\n- Perform webinjection and webfakes\r\n- Form grabbing\r\n- Command execution\r\n- Download file from infected system\r\n- Convert infection into proxy\r\n- DDOS\r\n- Spreading and EXE infecting", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazavat", "https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d" ], "synonyms": [], "type": [] }, "uuid": "ac74e25e-6c73-416d-990f-2bcf0f19df2d", "value": "Gazavat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://www.youtube.com/watch?v=Pvzhtjl86wc", "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", "https://github.com/eset/malware-ioc/tree/master/turla", "https://securelist.com/introducing-whitebear/81638/", "https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html", "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html" ], "synonyms": [ "WhiteBear" ], "type": [] }, "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", "value": "Gazer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner", "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md", "https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://bazaar.abuse.ch/browse/signature/GCleaner/" ], "synonyms": [], "type": [] }, "uuid": "874d6868-08fd-4b66-877d-fd2174f0d275", "value": "GCleaner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" ], "synonyms": [], "type": [] }, "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", "value": "gcman" }, { "description": "According to Unit 42, this is a .NET X64 malware that is capable of interaction with GoogleDrive, allowing an attacker to have victim information uploaded and payloads delivered.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gdrive", "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/", "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/" ], "synonyms": [ "DoomDrive", "GoogleDriveSucks" ], "type": [] }, "uuid": "61c90604-d0f6-437c-920a-f1d6d9f76c55", "value": "Gdrive" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html" ], "synonyms": [], "type": [] }, "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", "value": "GearInformer" }, { "description": "According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "06d80b50-703a-4cf9-989e-b8b1bf71144a", "value": "GEARSHIFT" }, { "description": "According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.\r\nGEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "e46ae329-a619-4cfc-8059-af326c11ee79", "value": "GEMCUTTER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.geminiduke", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" ], "synonyms": [], "type": [] }, "uuid": "f3a4863f-1acd-4476-a8c7-1d4c162426e0", "value": "GeminiDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://github.com/Tera0017/TAFOF-Unpacker", "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md", "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.goggleheadedhacker.com/blog/post/13" ], "synonyms": [ "FRIENDSPEAK", "GetandGo" ], "type": [] }, "uuid": "f6aa0163-bde3-44a2-8acc-3e7a04cf167d", "value": "Get2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", "value": "GetMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-26-getmypass-point-of-sale-malware.md", "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/" ], "synonyms": [ "getmypos" ], "type": [] }, "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", "value": "GetMyPass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.get_pwd", "https://ihonker.org/thread-1504-1-1.html" ], "synonyms": [], "type": [] }, "uuid": "a762023d-8d46-43a8-be01-3b2362963de0", "value": "get_pwd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0stbins", "https://any.run/cybersecurity-blog/gh0stbins-chinese-rat-malware-analysis/" ], "synonyms": [ "Gh0stBins RAT" ], "type": [] }, "uuid": "07ef4b03-c512-490c-905a-f7c2e3a47eba", "value": "Gh0stBins" }, { "description": "Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes", "https://www.youtube.com/watch?v=uakw2HMGZ-I", "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" ], "synonyms": [], "type": [] }, "uuid": "9c89baf1-9639-4990-b218-14680170944f", "value": "Gh0stTimes" }, { "description": "According to Mandiant, GHAMBAR is a remote administration tool (RAT) that communicates with its C2 server using SOAP requests over HTTP. Its capabilities include filesystem manipulation, file upload and download, shell command execution, keylogging, screen capture, clipboard monitoring, and additional plugin execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghambar", "https://www.mandiant.com/media/17826", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "4b9216e7-3a64-4b2e-97fd-54697d87cb72", "value": "GHAMBAR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/" ], "synonyms": [ "CoreImpact (Modified)", "Gholee" ], "type": [] }, "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", "value": "Ghole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor", "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf", "https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit", "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" ], "synonyms": [], "type": [] }, "uuid": "968e52d1-e1d1-499a-acdc-b21522646e28", "value": "GhostEmperor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostengine", "https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_GhostEngine.yar", "https://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth", "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" ], "synonyms": [], "type": [] }, "uuid": "2ead704c-d486-4127-b86a-5a409cc0f5d7", "value": "win.ghostengine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://en.wikipedia.org/wiki/GhostNet", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [ "Remosh" ], "type": [] }, "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", "value": "Gh0stnet" }, { "description": "GhostSocks, a Golang-based proxy malware, was first advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in October 2023. It uses back-connect socket secure internet protocol (SOCKS5) connections and is available for rent for US $100 per month. In February 2024, the author of Lumma Stealer released an update introducing the integration of proxying capabilities. This feature, developed in partnership with GhostSocks, allows the use of infected hosts as SOCKS5 proxies and is available to all subscribers who purchase the \"Professional\" or higher tier plan. This integration allows Lumma Stealer users to establish a network of residential IP addresses for various purposes, including credential checking, spam distribution, or as general-purpose proxies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostsocks", "https://twitter.com/g0njxa/status/1754630820650696875" ], "synonyms": [], "type": [] }, "uuid": "3b22582f-17fc-44d9-8218-f6c7b0ccf3c5", "value": "GhostSocks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html", "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/" ], "synonyms": [ "Ghost iBot" ], "type": [] }, "uuid": "6201c337-1599-4ced-be9e-651a624c20be", "value": "GhostAdmin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_locker", "https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec", "https://threatmon.io/ghostlocker-ransomware-analysis/" ], "synonyms": [], "type": [] }, "uuid": "9b050f86-edad-40ed-9a93-b7c03444bfa5", "value": "GhostLocker" }, { "description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits", "https://www.secureworks.com/research/threat-profiles/bronze-edison", "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://attack.mitre.org/groups/G0011", "https://blog.talosintelligence.com/2019/09/panda-evolution.html", "https://asec.ahnlab.com/en/32572/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.prevailion.com/the-gh0st-remains-the-same-2/", "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf", "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf", "https://attack.mitre.org/groups/G0096", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", "https://www.youtube.com/watch?v=uakw2HMGZ-I", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/", "https://attack.mitre.org/groups/G0026", "https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf", "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", "https://s.tencent.com/research/report/836.html", "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure", "https://www.intezer.com/blog-chinaz-relations/", "https://attack.mitre.org/groups/G0001/", "https://www.intezer.com/blog/malware-analysis/chinaz-relations/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "http://www.malware-traffic-analysis.net/2018/01/04/index.html", "https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", "https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/", "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", "http://www.nartv.org/mirror/ghostnet.pdf", "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "https://blog.cylance.com/the-ghost-dragon", "https://risky.biz/whatiswinnti/", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", "https://www.datanet.co.kr/news/articleView.html?idxno=133346", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html", "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/", "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html", "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html", "http://www.hexblog.com/?p=1248", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", "https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-globe", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html" ], "synonyms": [ "Farfli", "Gh0st RAT", "PCRat" ], "type": [] }, "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", "value": "Ghost RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_secret", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" ], "synonyms": [], "type": [] }, "uuid": "0b317327-6783-441f-8634-388599cbbff6", "value": "GhostSecret" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish", "https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "f561656c-19d1-4b07-a193-3293d053e774", "value": "Gibberish" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.giffy", "https://vx-underground.org/archive/APTs/2016/2016.09.06/Buckeye.pdf" ], "synonyms": [], "type": [] }, "uuid": "6ad51e4a-b44d-43c8-9f55-b9fe06a2c06d", "value": "Giffy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gimmick", "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf", "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/", "https://hitcon.org/2023/CMT/slide/Unmasking%20CamoFei_An%20In-depth%20Analysis%20of%20an%20Emerging%20APT%20Group%20Focused%20on%20Healthcare%20Sectors%20in%20East%20Asia.pdf" ], "synonyms": [], "type": [] }, "uuid": "59e8424b-f2e6-4542-bbb3-0e62a4596a01", "value": "GIMMICK (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ginwui", "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [], "type": [] }, "uuid": "7f768705-d852-4c66-a7e0-76fd5016d07f", "value": "Ginwui" }, { "description": "An information stealer written in .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ginzo", "https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware", "https://twitter.com/struppigel/status/1506933328599044100", "https://www.govcert.ch/downloads/whitepapers/Unflattening-ConfuserEx-Code-in-IDA.pdf", "https://blog.talosintelligence.com/haskers-gang-zingostealer/", "https://ke-la.com/information-stealers-a-new-landscape/" ], "synonyms": [], "type": [] }, "uuid": "0edf6463-908a-4c3a-861d-70337c9f67bd", "value": "Ginzo Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses" ], "synonyms": [ "Wordpress Bruteforcer" ], "type": [] }, "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", "value": "Glasses" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" ], "synonyms": [], "type": [] }, "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", "value": "GlassRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos", "https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html" ], "synonyms": [], "type": [] }, "uuid": "d2e0cbfb-c647-48ec-84e2-ca2199cf7d03", "value": "GlitchPOS" }, { "description": "GlobeImposter is a ransomware application which is mainly distributed via \"blank slate\" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family.\r\nThis malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", "https://asec.ahnlab.com/ko/30284/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://isc.sans.edu/diary/23417", "https://www.emsisoft.com/ransomware-decryption-tools/globeimposter", "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/", "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet", "https://asec.ahnlab.com/en/48940/", "https://blog.ensilo.com/globeimposter-ransomware-technical" ], "synonyms": [ "Fake Globe" ], "type": [] }, "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", "value": "GlobeImposter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" ], "synonyms": [], "type": [] }, "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", "value": "Globe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", "value": "GlooxMail" }, { "description": "Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", "https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", "https://blog.google/threat-analysis-group/disrupting-glupteba-operation/", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "http://resources.infosecinstitute.com/tdss4-part-1/", "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf", "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html", "https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html", "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Uncovering-a-broad-criminal-ecosystem-Glupteba.pdf", "https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter", "https://www.youtube.com/watch?v=5Gz6_I-wl0E", "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", "https://estr3llas.github.io/gluptebas-dotnet-dropper-deep-dive/", "https://habr.com/ru/company/solarsecurity/blog/578900/", "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Uncovering-a-broad-criminal-ecosystem-powered-by-one-of-the-largest-botnets-Glupteba.pdf", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", "https://blog.google/technology/safety-security/new-action-combat-cyber-crime/", "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", "https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/", "https://community.riskiq.com/article/2a36a7d2/description", "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://labs.k7computing.com/?p=22319" ], "synonyms": [], "type": [] }, "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", "value": "Glupteba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gobotkr", "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" ], "synonyms": [], "type": [] }, "uuid": "56060ca3-ee34-4df9-bcaa-70267d8440c1", "value": "GoBotKR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gocryptolocker", "https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html", "https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go", "https://twitter.com/GrujaRS/status/1254657823478353920" ], "synonyms": [], "type": [] }, "uuid": "f93da83e-0c2f-4dc0-82c6-2fcc6339dcf2", "value": "goCryptoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godlike12", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/" ], "synonyms": [ "GOSLU" ], "type": [] }, "uuid": "f62ad36f-e274-4fdb-b71d-887f9cd9c215", "value": "Godlike12" }, { "description": "Proof of concept for data exfiltration via DoH, written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godoh", "https://github.com/sensepost/goDoH", "https://sensepost.com/blog/2018/waiting-for-godoh/" ], "synonyms": [], "type": [] }, "uuid": "b54b4238-550f-42a7-9e62-d1ad5e4d3904", "value": "goDoH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", "https://www.kernelmode.info/forum/viewtopic0692.html?f=16&t=4349", "https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/" ], "synonyms": [], "type": [] }, "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", "value": "Godzilla Loader" }, { "description": "A file infector written in Go, discovered by Karsten Hahn in February 2022. According to Karsten, despite its internal naming, it is not polymorphic and the virus body is not encrypted. Gofing uses the Coldfire Golang malware development library.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gofing", "https://twitter.com/struppigel/status/1498229809675214849" ], "synonyms": [ "Velocity Polymorphic Compression Malware" ], "type": [] }, "uuid": "ba142293-2f22-46e3-8b8e-086f3571f14c", "value": "Gofing" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", "value": "Goggles" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gogoogle", "https://labs.bitdefender.com/2020/05/gogoogle-decryption-tool/" ], "synonyms": [ "BossiTossi" ], "type": [] }, "uuid": "034a3db0-b53c-4ec1-9390-4b6f214e1233", "value": "GoGoogle" }, { "description": "According to Symantec, a previously unseen backdoor that was deployed against a media organization in South Asia in November, 2023. GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gogra", "https://www.security.com/threat-intelligence/cloud-espionage-attacks" ], "synonyms": [ "Onedrivetools" ], "type": [] }, "uuid": "feb79c31-cf88-4127-8ee9-dde4dfb99396", "value": "GoGra" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldbackdoor", "https://github.com/blackorbird/APT_REPORT/blob/master/group123/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf", "https://www.0x0v1.com/rearchive-goldbackdoor/", "https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf" ], "synonyms": [], "type": [] }, "uuid": "54f5cf02-6fdc-43b4-af06-87af1a901264", "value": "GOLDBACKDOOR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/" ], "synonyms": [ "Petya/Mischa" ], "type": [] }, "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", "value": "GoldenEye" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenhelper", "https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/" ], "synonyms": [], "type": [] }, "uuid": "1dd854b4-d8e6-438c-a0b1-6991b8b6ff92", "value": "GoldenHelper" }, { "description": "According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.\r\n\r\nOne of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing “Intelligent Tax,” a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.\r\n\r\nAlthough it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/", "https://www.ic3.gov/media/news/2020/200728.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", "https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf", "https://www.ic3.gov/Media/News/2020/201103-1.pdf", "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "86b8bd8d-19c5-4c7a-befd-0eb6297776bc", "value": "GoldenSpy" }, { "description": "Gold Max is a Golang written command and control backdoor used by the NOBELIUM threat actor group. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", "https://www.youtube.com/watch?v=koZkHEJqPrU", "https://securelist.com/extracting-type-information-from-go-binaries/104715/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", "https://securelist.com/it-threat-evolution-q2-2023/110355/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/" ], "synonyms": [ "SUNSHUTTLE" ], "type": [] }, "uuid": "9a3429d7-e4a8-43c5-8786-0b3a1c841a5f", "value": "GoldMax" }, { "description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html", "https://asec.ahnlab.com/en/31089/", "https://www.youtube.com/watch?v=rfzmHjZX70s" ], "synonyms": [ "Lovexxx" ], "type": [] }, "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", "value": "GoldDragon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" ], "synonyms": [], "type": [] }, "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", "value": "Golroted" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gomet", "https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html" ], "synonyms": [], "type": [] }, "uuid": "020a84b4-d717-48e6-9333-07c55523bc57", "value": "GoMet" }, { "description": "Gomorrah is a stealer with no or little obfuscation that appeared around March 2020. It is sold for about 150$ lifetime for v4 (originally 400$ for v3) or 100$ per month by its developer called \"th3darkly / lucifer\" (which is also the developer of CosaNostra botnet). The malware's main functionalities are stealing (passwords, cryptocurrency wallets) and loading of tasks and other payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer", "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April", "https://twitter.com/vxunderground/status/1469713783308357633" ], "synonyms": [], "type": [] }, "uuid": "ea9a9585-2a99-42b9-a724-bf7af82bb986", "value": "Gomorrah stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [ "Fuerboos" ], "type": [] }, "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", "value": "Goodor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1298818-6425-49be-9764-9f119d964efd", "value": "GoogleDrive RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" ], "synonyms": [], "type": [] }, "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", "value": "GooPic Drooper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gooseegg", "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" ], "synonyms": [], "type": [] }, "uuid": "5d38cab2-ad33-467f-9ce9-27fea834fb13", "value": "GooseEgg" }, { "description": "Gootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js scripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The loader also contains two encrypted DLLs intended to be injected into each browser process launched in order to place the payload in man in the browser and allow it to apply the webinjects received from the command and control server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their content or modify it according to the webinjects.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/", "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055", "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/", "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://news.drweb.com/show/?i=4338&lng=en", "https://twitter.com/MsftSecIntel/status/1366542130731094021", "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html", "https://www.youtube.com/watch?v=242Tn0IL2jE", "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection", "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://www.certego.net/en/news/malware-tales-gootkit/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", "https://www.us-cert.gov/ncas/alerts/TA16-336A", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html", "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/", "https://securelist.com/gootkit-the-cautious-trojan/102731/", "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", "https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/PUBLIC_Gootloader%20-%20Foreign%20Intelligence%20Service.pdf", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://twitter.com/jhencinski/status/1464268732096815105", "https://www.youtube.com/watch?v=QgUlPvEE4aw", "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md", "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", "https://dannyquist.github.io/gootkit-reversing-ghidra/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html" ], "synonyms": [ "Waldek", "Xswkit", "talalpek" ], "type": [] }, "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", "value": "GootKit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe", "https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques", "https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville" ], "synonyms": [], "type": [] }, "uuid": "fb2e42bf-6845-4eb3-9fe7-85a447762bce", "value": "Gophe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gopuram", "https://twitter.com/kucher1n/status/1642886340105601029?t=3GCn-ZhDjqWEMXya_PKseg", "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344" ], "synonyms": [], "type": [] }, "uuid": "6dc4e71e-7372-4287-bdee-04da17a0d275", "value": "Gopuram" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gotroj", "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "b4446bc0-41a1-4934-9fd0-a73b91589994", "value": "GOTROJ" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", "https://www.yumpu.com/en/document/view/55930175/govrat-v20" ], "synonyms": [], "type": [] }, "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", "value": "GovRAT" }, { "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "https://viuleeenz.github.io/posts/2023/03/dynamic-binary-instrumentation-for-malware-analysis/", "https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072", "https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance", "https://github.com/mlodic/ursnif_beacon_decryptor", "https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.youtube.com/watch?v=BcFbkjUVc7o", "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://lokalhost.pl/gozi_tree.txt", "https://viuleeenz.github.io/posts/2023/12/applied-emulation-decrypting-ursnif-strings-with-unicorn/", "https://www.secureworks.com/research/gozi" ], "synonyms": [ "CRM", "Gozi CRM", "Papras", "Snifula", "Ursnif" ], "type": [] }, "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", "value": "Gozi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", "https://de.securelist.com/analysis/59479/erpresser/", "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/", "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html" ], "synonyms": [], "type": [] }, "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", "value": "GPCode" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" ], "synonyms": [], "type": [] }, "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", "value": "GrabBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", "https://malware.news/t/graftor-but-i-never-asked-for-this/14857", "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html", "https://bin.re/blog/the-dga-of-symmi/" ], "synonyms": [ "MewsSpy" ], "type": [] }, "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", "value": "Graftor" }, { "description": "Grager is a backdoor deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of this backdoor revealed that it uses the Graph API to communicate with a command and control (C&C) server hosted on Microsoft OneDrive. The backdoor decrypts a client ID and refresh token for OneDrive from a blob contained within its file body. It supports the following commands:\r\n\r\n- Retrieve machine information, including machine name, user, IP address, and machine architecture\r\n- Download or upload a file\r\n- Execute a file\r\n- Gather file system information, including available drives, their sizes, and types of drives", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grager", "https://www.security.com/threat-intelligence/cloud-espionage-attacks" ], "synonyms": [], "type": [] }, "uuid": "a5cf8d64-262f-47fd-a48b-1c2bcfa4f641", "value": "Grager" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gramdoor", "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf" ], "synonyms": [ "Small Sieve" ], "type": [] }, "uuid": "0dfa69cc-cc70-4944-af42-7e1f923e6b6b", "value": "GRAMDOOR" }, { "description": "According to ESET Research, Grandoreiro is a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro", "https://www.proofpoint.com/us/blog/threat-insight/copacabana-barcelona-cross-continental-threat-brazilian-banking-malware", "https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/", "https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals", "https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf", "https://www.bleepingcomputer.com/news/security/police-disrupt-grandoreiro-banking-malware-operation-make-arrests/", "https://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/", "https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/", "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_study_grandoreiro_analysis_2022_v1.pdf", "https://securelist.com/grandoreiro-banking-trojan/114257/", "https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season", "https://www.metabaseq.com/grandoreiro-banking-malware-deciphering-the-dga/", "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] }, "uuid": "c62219e2-74a3-49c2-a33d-0789b820c467", "value": "Grandoreiro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandsteal", "http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html" ], "synonyms": [], "type": [] }, "uuid": "626de4fc-cfa4-4fbc-ab35-4c9ab9fdec14", "value": "GrandSteal" }, { "description": "PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793", "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered" ], "synonyms": [ "GraphicalProton", "SPICYBEAT" ], "type": [] }, "uuid": "15d96a22-118b-4933-8258-e9cc4dd9719a", "value": "GraphDrop" }, { "description": "This loader abuses the benign service Notion for data exchange.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine", "https://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html", "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf" ], "synonyms": [ "SNOWYAMBER" ], "type": [] }, "uuid": "cb92a200-b4f0-4983-8d5d-6bf529b66da9", "value": "GraphicalNeutrino" }, { "description": "According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15" ], "synonyms": [], "type": [] }, "uuid": "ccaefb44-1cbb-4f91-bd2d-ea5735446d1d", "value": "Graphican" }, { "description": "Downloader / information stealer used by UAC-0056, observed since at least October 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphiron", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer" ], "synonyms": [], "type": [] }, "uuid": "968e330d-281e-4647-99fd-d9903aa6bbba", "value": "Graphiron" }, { "description": "Trellix describes Graphite as a malware using the Microsoft Graph API and OneDrive for C&C. It was found being deployed in-memory only and served as a downloader for Empire.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf", "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/" ], "synonyms": [], "type": [] }, "uuid": "8ecc6605-eed1-416c-bc8b-0dc1147d3c2b", "value": "Graphite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphon", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia" ], "synonyms": [], "type": [] }, "uuid": "9ab9e88f-b365-4d58-af52-e9d19ab00348", "value": "Graphon" }, { "description": "This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine", "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://cert.gov.ua/article/38374" ], "synonyms": [], "type": [] }, "uuid": "64963521-0181-4220-935a-a6deefa871b2", "value": "GraphSteel" }, { "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", "http://www.secureworks.com/research/threat-profiles/gold-franklin", "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season", "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/" ], "synonyms": [ "FrameworkPOS", "SCRAPMINT", "trinity" ], "type": [] }, "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", "value": "Grateful POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem" ], "synonyms": [], "type": [] }, "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", "value": "Gratem" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", "https://blog.talosintelligence.com/cosmic-leopard/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", "https://securelist.com/gravityrat-the-spy-returns/99097/", "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" ], "synonyms": [], "type": [] }, "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", "value": "Gravity RAT (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease", "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" ], "synonyms": [], "type": [] }, "uuid": "4ed079e6-69bd-481b-b873-86ced9ded750", "value": "GREASE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", "https://blog.cylance.com/spear-a-threat-actor-resurfaces" ], "synonyms": [ "eoehttp" ], "type": [] }, "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", "value": "GreenShaitan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.green_dispenser", "https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser" ], "synonyms": [], "type": [] }, "uuid": "88fda711-cd7f-44e3-b92e-65f1c726df98", "value": "GreenDispenser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.greetingghoul", "https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/" ], "synonyms": [], "type": [] }, "uuid": "b8763a6f-2711-454d-bbde-7408ebe932c1", "value": "GreetingGhoul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://github.com/NozomiNetworks/greyenergy-unpacker", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.eset.com/int/greyenergy-exposed/", "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "https://attack.mitre.org/groups/G0034" ], "synonyms": [], "type": [] }, "uuid": "5a683d4f-31a1-423e-a136-d348910ca967", "value": "GreyEnergy" }, { "description": "This is a proxy-aware HTTP backdoor that is implemented as a service and uses the compromised system's proxy settings to access the internet. C&C traffic is base64 encoded and the files sent to the server are compressed with aPLib.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark", "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/", "https://content.fireeye.com/m-trends/rpt-m-trends-2019" ], "synonyms": [ "Hellsing Backdoor" ], "type": [] }, "uuid": "60cc0c72-e903-4dda-967a-9da0e12d4ac5", "value": "GRILLMARK" }, { "description": "GRIMAGENT is a backdoor that can execute arbitrary commands, download files, create and delete scheduled tasks, and execute programs via scheduled tasks or via the ShellExecute API. The malware persists via a randomly named scheduled task and a registry Run key. The backdoor communicates to hard-coded C&C servers via HTTP requests with portions of its network communications encrypted using both asymmetric and symmetric cryptography. GRIMAGENT was used during some Ryuk Ransomware intrusions in 2020.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent", "https://blog.group-ib.com/grimagent", "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", "https://twitter.com/bryceabdo/status/1352359414746009608", "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" ], "synonyms": [], "type": [] }, "uuid": "57460bae-84ad-402d-8949-9103c5917703", "value": "GRIMAGENT" }, { "description": "This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine", "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/", "https://cert.gov.ua/article/38374" ], "synonyms": [], "type": [] }, "uuid": "235cba54-256e-48a0-b5dc-5e1aa3247cde", "value": "GrimPlant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/" ], "synonyms": [], "type": [] }, "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", "value": "GROK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ground_peony", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "6f52913f-e287-4f7a-95ae-4e43ea29a044", "value": "GroundPeony" }, { "description": "According to PCrisk, Growtopia (also known as CyberStealer) is an information stealer written in the C# programming language. It can obtain system information, steal information from various applications, and capture screenshots. Its developer claims that it has created this software for educational purposes only. This stealer uses the name of a legitimate online game.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.growtopia", "https://github.com/TheC0mpany/GrowtopiaStealer" ], "synonyms": [], "type": [] }, "uuid": "5fb7db86-a510-400c-b7d3-4197eef09755", "value": "Growtopia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt", "https://twitter.com/ItsReallyNick/status/1208141697282117633", "https://www.telsy.com/download/5776/?uid=aca91e397e", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" ], "synonyms": [], "type": [] }, "uuid": "884782cf-9fdc-4f3c-8fba-e878330d0ef5", "value": "GRUNT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", "https://attack.mitre.org/wiki/Technique/T1003" ], "synonyms": [], "type": [] }, "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", "value": "gsecdump" }, { "description": "A malware family with a DGA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gspy", "https://www.virustotal.com/gui/file/0a062a1cbcd05f671f5c3fe5575e29fdd9e13deeb9f34f1ee9ffa6b75835668f/detection" ], "synonyms": [], "type": [] }, "uuid": "4e466824-7081-4163-8d90-895492b55f23", "value": "GSpy" }, { "description": "According to haxrob, GTPDOOR is the name of Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol - Control Plane) signalling messages. This allows the C2 traffic to blend in with normal traffic and to reuse already permitted ports that maybe open and exposed to the GRX network.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gtpdoor", "https://nitter.poast.org/haxrob/status/1762821513680732222", "https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR" ], "synonyms": [], "type": [] }, "uuid": "e06aef59-6133-4e37-9e00-6c05ce52506a", "value": "GTPDOOR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" ], "synonyms": [], "type": [] }, "uuid": "83d1bf1b-6557-4c2e-aa00-53013be73067", "value": "GUP Proxy Tool" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gwisin", "https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf", "https://asec.ahnlab.com/en/41565/", "https://asec.ahnlab.com/en/37483" ], "synonyms": [], "type": [] }, "uuid": "ef39478b-716a-4b98-b10e-36b8ca22060c", "value": "Gwisin (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" ], "synonyms": [], "type": [] }, "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", "value": "H1N1 Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.habitsrat", "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers", "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/" ], "synonyms": [], "type": [] }, "uuid": "b39de9b2-7739-44f4-a03b-1fffa0c0df04", "value": "HabitsRAT (Windows)" }, { "description": "Browser information stealer, written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackbrowserdata", "https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign" ], "synonyms": [], "type": [] }, "uuid": "a4c2b9c1-ede6-4d55-b27e-5b5d52b9c46c", "value": "HackBrowserData" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", "value": "Hacksfase" }, { "description": "Py2Exe based tool as found on github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", "https://github.com/ratty3697/HackSpy-Trojan-Exploit" ], "synonyms": [], "type": [] }, "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", "value": "HackSpy" }, { "description": "According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the \".~HL[5_random_characters] (first 5 characters of encryption password)\" extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hades", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.accenture.com/us-en/blogs/security/ransomware-hades", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware", "http://www.secureworks.com/research/threat-profiles/gold-winter", "https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", "https://twitter.com/inversecos/status/1381477874046169089?s=20", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf" ], "synonyms": [], "type": [] }, "uuid": "ab9b4a89-c35b-42aa-bffb-98fccf7d318f", "value": "Hades" }, { "description": "Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server.\r\nThe ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.\r\n\r\nContact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent \"KiraLock\" has kiraransom@ (among others of course).\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit", "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/", "https://www.justice.gov/usao-edny/press-release/file/1505981/download", "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants", "https://securelist.com/cis-ransomware/104452/", "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf", "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", "https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/", "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://unit42.paloaltonetworks.com/prometheus-ransomware/", "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/", "https://unit42.paloaltonetworks.com/thanos-ransomware/", "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/", "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/", "https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/", "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ "Thanos Ransomware" ], "type": [] }, "uuid": "18617856-c6c4-45f8-995f-4916a1b45b05", "value": "Hakbit" }, { "description": "A stager used by APT29 to deploy CobaltStrike.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.halfrig", "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb" ], "synonyms": [], "type": [] }, "uuid": "c89b2d7b-82b7-4329-81d0-ed99be4fad96", "value": "HALFRIG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", "https://www.youtube.com/watch?v=JPvcLLYR0tE", "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf", "https://www.youtube.com/watch?v=FAFuSO9oAl0", "https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/" ], "synonyms": [], "type": [] }, "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", "value": "Hamweq" }, { "description": "Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", "https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://www.uperesia.com/hancitor-packer-demystified", "https://www.malware-traffic-analysis.net/2021/09/29/index.html", "https://isc.sans.edu/diary/rss/27618", "https://muha2xmad.github.io/unpacking/hancitor/", "https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/", "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", "https://pid4.io/posts/how_to_write_a_hancitor_extractor/", "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", "https://blog.group-ib.com/prometheus-tds", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://blog.group-ib.com/hancitor-cuba-ransomware", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://cyber-anubis.github.io/malware%20analysis/hancitor/", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", "https://blog.group-ib.com/switching-side-jobs", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure", "https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity", "https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/", "https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://twitter.com/TheDFIRReport/status/1359669513520873473", "https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", "https://malware-traffic-analysis.net/2021/09/29/index.html", "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/", "https://muha2xmad.github.io/malware-analysis/fullHancitor/", "https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8", "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" ], "synonyms": [ "Chanitor" ], "type": [] }, "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", "value": "Hancitor" }, { "description": "According to Intezer, this is a second stage loader written in Delphi.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.handala", "https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html", "https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/", "https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/" ], "synonyms": [], "type": [] }, "uuid": "e65a79ca-9236-4ffa-867c-afe9a856f1d0", "value": "Handala" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" ], "synonyms": [], "type": [] }, "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", "value": "HappyLocker (HiddenTear?)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [], "type": [] }, "uuid": "e4948b4c-be46-44a4-81e6-3b1922448083", "value": "HARDRAIN (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html", "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html" ], "synonyms": [ "Piptea" ], "type": [] }, "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", "value": "Harnig" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.haron", "https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/", "https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b" ], "synonyms": [], "type": [] }, "uuid": "788c44c1-d1cd-4b17-8fa9-116d682c3661", "value": "Haron Ransomware" }, { "description": "According to Intezer, this is a wiper.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hatef", "https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html", "https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/", "https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/" ], "synonyms": [], "type": [] }, "uuid": "2af38f0c-b1fb-4241-8ae8-f06ea7729ff1", "value": "Hatef" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havana_crypt", "https://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html" ], "synonyms": [], "type": [] }, "uuid": "d2f11e7f-4daf-42f0-8304-e59935991745", "value": "HavanaCrypt" }, { "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a", "https://www.f-secure.com/weblog/archives/00002718.html", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "https://www.secureworks.com/research/threat-profiles/iron-liberty" ], "synonyms": [], "type": [] }, "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", "value": "Havex RAT" }, { "description": "First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/", "https://www.youtube.com/watch?v=ErPKP4Ms28s", "https://4pfsec.com/havoc-c2-first-look/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.immersivelabs.com/blog/havoc-c2-framework-a-defensive-operators-guide/", "https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks", "https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ", "https://github.com/HavocFramework/Havoc", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "Havokiz" ], "type": [] }, "uuid": "ddbcedee-ac3e-45d3-be2c-d7315d83e6a6", "value": "Havoc" }, { "description": "HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball", "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "dc07507b-959f-4521-be0f-b9ff2b32b909", "value": "HAWKBALL" }, { "description": "HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new \"loader capabilities\" have been spotted. It is sold by its development team on dark web markets and hacking forums.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/", "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/", "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html" ], "synonyms": [ "HawkEye", "HawkEye Reborn", "Predator Pain" ], "type": [] }, "uuid": "31615066-dbff-4134-b467-d97a337b408b", "value": "HawkEye Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hazy_load", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/" ], "synonyms": [], "type": [] }, "uuid": "a0d0d428-fd1b-460c-a03a-0003c6daff6d", "value": "HazyLoad" }, { "description": "HDMR is a ransomware which encrypts user files and adds a .DMR64 extension. It also drops a ransom note named: \"!!! READ THIS !!!.hta\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr", "https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1", "http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html" ], "synonyms": [ "GO-SPORT" ], "type": [] }, "uuid": "d643273f-7a53-4703-bf65-95716d55a5dd", "value": "HDMR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdroot", "https://securelist.com/i-am-hdroot-part-2/72356/", "https://securelist.com/i-am-hdroot-part-1/72275/" ], "synonyms": [], "type": [] }, "uuid": "af8df5d7-cd8c-41ea-b9ec-b69ab7811e2d", "value": "HDRoot" }, { "description": "The Chinese threat actor \"Scarab\" is using a custom backdoor dubbed \"HeaderTip\" according to SentinelLABS. This malware may be the successor of \"Scieron\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.headertip", "https://cert.gov.ua/article/38097", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip", "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/", "https://blogs.blackberry.com/en/2022/04/threat-thursday-headertip-backdoor-shows-attackers-from-china-preying-on-ukraine" ], "synonyms": [], "type": [] }, "uuid": "994c64f3-ca59-4392-9ab4-0256e79fcfad", "value": "HeaderTip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.headlace", "https://cert.pl/en/posts/2024/05/apt28-campaign/", "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "synonyms": [], "type": [] }, "uuid": "7229ccd9-1f2b-4a71-8119-1f4eb1c04a5d", "value": "Headlace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", "value": "Helauto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellobot", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html" ], "synonyms": [], "type": [] }, "uuid": "64cecfd4-96fd-42a3-8537-fc0e041271a2", "value": "HelloBot (Windows)" }, { "description": "Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty", "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", "https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/", "https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/", "https://www.ic3.gov/Media/News/2021/211029.pdf", "https://twitter.com/fwosar/status/1359167108727332868", "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/", "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks", "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", "https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7", "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire" ], "synonyms": [ "KittyCrypt" ], "type": [] }, "uuid": "433c97b5-89ac-4783-a312-8bb890590ff0", "value": "HelloKitty (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] }, "uuid": "19d89300-ff97-4281-ac42-76542e744092", "value": "Helminth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/" ], "synonyms": [], "type": [] }, "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", "value": "Heloag" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hemigate", "https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "3db00976-d81d-4a54-a639-ae087bc2493d", "value": "HemiGate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" ], "synonyms": [], "type": [] }, "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", "value": "Herbst" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [], "type": [] }, "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", "value": "Heriplor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", "https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://www.youtube.com/watch?v=9nuo-AGg4p4", "https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.malwarebytes.com/blog/news/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day" ], "synonyms": [], "type": [] }, "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", "value": "Hermes" }, { "description": "According to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It abuses a signed driver called \"empntdrv.sys\" which is associated with the legitimate Software \"EaseUS Partition Master Software\" to enumerate the MBR and all partitions of all Physical Drives connected to the victims Windows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless. \r\nThis malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper", "https://twitter.com/fr0gger_/status/1497121876870832128", "https://www.brighttalk.com/webcast/15591/534324", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", "https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/", "https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/", "https://dgc.org/en/hermeticwiper-malware/", "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", "https://twitter.com/threatintel/status/1496578746014437376", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", "https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/", "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/", "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/", "https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html", "https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/", "https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", "https://community.riskiq.com/article/9f59cb85", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://brandefense.io/hermeticwiper-technical-analysis-report/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/", "https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", "https://www.englert.one/hermetic-wiper-reverse-code-engineering", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html", "https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", "https://twitter.com/Sebdraven/status/1496878431719473155", "https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", "https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/", "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations", "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", "https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/", "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/", "https://eln0ty.github.io/malware%20analysis/HermeticWiper/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", "https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/", "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", "https://www.youtube.com/watch?v=sUlW45c9izU", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware", "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/", "https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/" ], "synonyms": [ "DriveSlayer", "FoxBlade", "KillDisk.NCV", "NEARMISS" ], "type": [] }, "uuid": "db6c1ec5-3961-47ce-9cd1-e650388a15fd", "value": "HermeticWiper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard", "https://www.brighttalk.com/webcast/15591/534324", "https://twitter.com/ET_Labs/status/1502494650640351236", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", "https://twitter.com/silascutler/status/1501668345640366091", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview" ], "synonyms": [], "type": [] }, "uuid": "f4400c49-75c6-494a-aa3e-d873404281c1", "value": "HermeticWizard" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" ], "synonyms": [], "type": [] }, "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", "value": "HerpesBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot", "https://web-assets.esetstatic.com/wls/2013/09/Hesperbot_Whitepaper.pdf" ], "synonyms": [], "type": [] }, "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", "value": "HesperBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heyoka", "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" ], "synonyms": [], "type": [] }, "uuid": "5833d95c-4131-4cd3-8600-fc40bb834fe3", "value": "heyoka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiasm", "https://fortiguard.fortinet.com/encyclopedia/virus/6488677" ], "synonyms": [], "type": [] }, "uuid": "c49e1f43-a16a-49b1-b23e-9e49cd20c90b", "value": "HiAsm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee", "https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/", "https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/", "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/", "https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/", "https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/", "https://www.freebuf.com/column/175106.html", "https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family", "https://www.freebuf.com/column/174581.html", "https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/" ], "synonyms": [], "type": [] }, "uuid": "f1e4862e-75a3-4843-add3-726a6535019c", "value": "Hidden Bee" }, { "description": "HiddenTear is an open source ransomware developed by a Turkish programmer and later released as proof of concept on GitHub. The malware generates a local symmetric key in order to encrypt a configurable folder (/test was the default one) and it sends it to a centralized C&C server. Due to its small payload it was used as real attack vector over email phishing campaigns. Variants are still used in attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", "https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/", "https://twitter.com/struppigel/status/950787783353884672", "https://www.linkedin.com/posts/threatmon_azzasec-ransomware-technical-malware-analysis-ugcPost-7223910683967393792-eZaa?utm_source=share&utm_medium=member_desktop", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", "https://utkusen.com/blog/im-sorry-for-hidden-tear-eda2", "https://github.com/goliate/hidden-tear", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://www.bleepingcomputer.com/news/security/hidden-tear-ransomware-developer-blackmailed-by-malware-developers-using-his-code/", "https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html", "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring", "https://twitter.com/JAMESWT_MHT/status/1264828072001495041" ], "synonyms": [ "Cryptear", "FuckUnicorn" ], "type": [] }, "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", "value": "HiddenTear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], "type": [] }, "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", "value": "HideDRV" }, { "description": "According to FireEye, HIGHNOON is a backdoor that may consist of multiple components. The components may include a loader, a DLL, and a rootkit. Both the loader and the DLL may be dropped together, but the rootkit may be embedded in the DLL. The HIGHNOON loader may be designed to run as a Windows service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://twitter.com/MrDanPerez/status/1159461995013378048" ], "synonyms": [], "type": [] }, "uuid": "f04c5821-311f-44c9-9d6c-0fe3fd3a1336", "value": "HIGHNOON" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon_bin", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "0a86eb46-28b5-4797-af63-75f9b2ef9080", "value": "HIGHNOON.BIN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote", "https://twitter.com/bkMSFT/status/1153994428949749761" ], "synonyms": [ "ChyNode" ], "type": [] }, "uuid": "d9f03a69-507d-4b1d-af6d-e76fca5952b7", "value": "HIGHNOTE" }, { "description": "According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader", "https://www.esentire.com/blog/danabots-latest-move-deploying-icedid", "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn", "https://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/", "https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution", "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/", "https://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3", "https://www.elastic.co/security-labs/tricks-and-treats", "https://www.trellix.com/blogs/research/how-attackers-repackaged-a-threat-into-something-that-looked-benign/", "https://www.loginsoft.com/post/blue-screen-mayhem-when-crowdstrikes-glitch-became-threat-actors-playground", "https://www.zscaler.com/blogs/security-research/hijackloader-updates", "https://www.crowdstrike.com/blog/hijackloader-expands-techniques/", "https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader", "https://securelist.com/tusk-infostealers-campaign/113367/", "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/" ], "synonyms": [ "DOILoader", "GHOSTPULSE", "IDAT Loader", "SHADOWLADDER" ], "type": [] }, "uuid": "cbba3bc7-9491-402c-af3b-9a15b8bce122", "value": "HijackLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://attack.mitre.org/groups/G0001/" ], "synonyms": [], "type": [] }, "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", "value": "HiKit" }, { "description": "A new ransomware family was discovered in August 2019. Called HILDACRYPT, it is named after the Netflix cartoon “Hilda” because the TV show’s YouTube trailer was included in the ransom note of the original version of the malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hildacrypt", "https://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/", "https://www.acronis.com/en-eu/blog/posts/popular-backup-solutions-easily-disabled-recent-hildacrypt-ransomware/", "https://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/", "https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/", "https://youtu.be/Oqg20dF8tTA", "https://www.bleepingcomputer.com/news/security/hildacrypt-ransomware-developer-releases-decryption-keys/" ], "synonyms": [], "type": [] }, "uuid": "fb637fc1-c06b-4b68-b261-0e1c0bd1e17b", "value": "HILDACRYPT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", "value": "himan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader", "https://twitter.com/James_inthe_box/status/1260191589789392898" ], "synonyms": [], "type": [] }, "uuid": "b5e83cab-8096-40de-8a5b-5bf0f2e336b2", "value": "Himera Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hisoka", "https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/" ], "synonyms": [], "type": [] }, "uuid": "b6734ca0-599f-4992-9094-218d01ddfb3a", "value": "Hisoka" }, { "description": "Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.\r\nIn 2022 there was a switch from GoLang to Rust.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive", "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", "https://arxiv.org/pdf/2202.08477.pdf", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", "https://www.ic3.gov/Media/News/2021/210825.pdf", "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", "https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/", "https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/", "https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/", "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", "https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/", "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", "https://www.connectwise.com/resources/hive-profile", "https://github.com/reecdeep/HiveV5_file_decryptor", "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", "https://github.com/rivitna/Malware/tree/main/Hive", "https://resources.prodaft.com/wazawaka-report", "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/", "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://blog.group-ib.com/hive" ], "synonyms": [], "type": [] }, "uuid": "4aaa039f-6239-46d8-850d-69e9cbd12e9e", "value": "Hive (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" ], "synonyms": [], "type": [] }, "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", "value": "Hi-Zor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" ], "synonyms": [], "type": [] }, "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", "value": "HLUX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hodur", "https://github.com/Still34/landing/blob/master/assets/slides/2024-08-Sailing%20the%20Seven%20SEAs.pdf", "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/", "https://files.speakerdeck.com/presentations/6d01e26c85a444d0a3f888e45629635f/hodur_recon2024.pdf", "https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf" ], "synonyms": [], "type": [] }, "uuid": "6dec4a6e-9a33-4f1e-94fc-5e34916b968f", "value": "Hodur" }, { "description": "Adware, tied to eGobbler and Nephos7 campaigns, ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.holcus", "https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0" ], "synonyms": [], "type": [] }, "uuid": "379356c7-ec7a-4880-85d5-afe9608d6b60", "value": "Holcus Installer (Adware)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.holerun", "https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated" ], "synonyms": [], "type": [] }, "uuid": "1860127d-41cf-4fe8-a58c-9f5304b91fb1", "value": "HOLERUN" }, { "description": " a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] }, "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", "value": "homefry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hookinjex", "https://twitter.com/CDA/status/1014144988454772736", "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" ], "synonyms": [], "type": [] }, "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", "value": "HookInjEx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045g", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.us-cert.gov/ncas/analysis-reports/ar19-304a", "https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf", "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "HANGMAN" ], "type": [] }, "uuid": "3e489132-8687-46b3-b9a7-74ba8fafaddf", "value": "HOPLIGHT" }, { "description": "Hopscotch is part of the Regin framework.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch", "https://www.youtube.com/watch?v=VnzP00DZlx4" ], "synonyms": [], "type": [] }, "uuid": "0ab4f3ce-5474-4b1e-8ad9-b9ad80e75be8", "value": "Hopscotch" }, { "description": "Remote Acess Tool Written in VB.NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.horuseyes", "https://github.com/arsium/HorusEyesRat_Public" ], "synonyms": [], "type": [] }, "uuid": "cbe47d19-2f74-4dbc-84b5-44c31518c8a7", "value": "HorusEyes RAT" }, { "description": "Warsaw trojan is a new banking trojan based on the Hours Eyes RAT core engine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.horus_eyes_rat", "https://seguranca-informatica.pt/the-clandestine-horus-eyes-rat-from-the-underground-to-criminals-arsenal/" ], "synonyms": [], "type": [] }, "uuid": "5a368326-d594-4a9b-94ff-7e2d41158006", "value": "Horus Eyes RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" ], "synonyms": [], "type": [] }, "uuid": "4500694c-d71a-4d11-8f9c-0036156826b6", "value": "HOTCROISSANT" }, { "description": "HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax", "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", "https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf", "https://content.fireeye.com/apt/rpt-apt38", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", "https://securelist.com/lazarus-under-the-hood/77908/", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" ], "synonyms": [], "type": [] }, "uuid": "d5391c00-9a75-457c-9ef0-0a75c5df8348", "value": "HOTWAX" }, { "description": "Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini", "http://blogs.360.cn/post/analysis-of-apt-c-37.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt", "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/", "https://www.youtube.com/watch?v=XDAiS6KBDOs", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://lab52.io/blog/wirte-group-attacking-the-middle-east/", "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://blogs.360.cn/post/APT-C-44.html", "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html", "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md", "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/", "https://cofense.com/houdini-worm-transformed-new-phishing-attack/", "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", "https://www.youtube.com/watch?v=h3KLKCdMUUY", "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "http://blog.morphisec.com/hworm-houdini-aka-njrat", "https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/" ], "synonyms": [ "Hworm", "Jenxcus", "Kognito", "Njw0rm", "WSHRAT", "dinihou", "dunihi" ], "type": [] }, "uuid": "11775f11-03a0-4ba8-932f-c125dfb66e35", "value": "Houdini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" ], "synonyms": [], "type": [] }, "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", "value": "HtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", "https://www.riskiq.com/blog/labs/htprat/" ], "synonyms": [], "type": [] }, "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", "value": "htpRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", "https://www.secureworks.com/research/htran", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "https://blog.talosintelligence.com/new-zardoor-backdoor/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.secureworks.com/research/threat-profiles/bronze-atlas" ], "synonyms": [ "HUC Packet Transmit Tool" ], "type": [] }, "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", "value": "HTran" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/", "https://attack.mitre.org/groups/G0026", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", "https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/", "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "HttpDump" ], "type": [] }, "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", "value": "HttpBrowser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [ "httpdr0pper" ], "type": [] }, "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", "value": "httpdropper" }, { "description": "Cisco Talos states that HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsnoop", "https://blog.talosintelligence.com/introducing-shrouded-snooper/" ], "synonyms": [ "TOFULOAD" ], "type": [] }, "uuid": "f585fba9-4a75-4752-bfdd-a0049e4d8d63", "value": "HTTPSnoop" }, { "description": "The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.\r\n\r\nIt accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader", "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", "https://securelist.com/lazarus-threatneedle/100803/" ], "synonyms": [], "type": [] }, "uuid": "50723d62-ecf2-49de-9ce2-911045ae63f0", "value": "HTTP(S) uploader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", "value": "http_troy" }, { "description": "A loader that has been used by multiple threat actor groups since 2015.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hui_loader", "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", "https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3" ], "synonyms": [], "type": [] }, "uuid": "1cb6ed37-3017-45b9-b186-1e16d46a8dd2", "value": "HUI Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter", "https://twitter.com/3xp0rtblog/status/1324800226381758471" ], "synonyms": [], "type": [] }, "uuid": "c93fdbb9-aafc-441d-a66f-aaf038f10bd3", "value": "Hunter Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hupigon", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities" ], "synonyms": [], "type": [] }, "uuid": "40157734-eb33-4187-bcc8-2cd168db6fda", "value": "Hupigon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.huskloader", "https://twitter.com/SethKingHi/status/1612377098777133057" ], "synonyms": [], "type": [] }, "uuid": "06649edb-d078-4403-a628-6295d1bc4ad8", "value": "HuskLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hussar", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" ], "synonyms": [], "type": [] }, "uuid": "d3d86184-3c5c-478b-8f8b-f56f1a02247d", "value": "Hussar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hxdef", "https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/" ], "synonyms": [ "HacDef", "HackDef", "HackerDefender" ], "type": [] }, "uuid": "906adc27-757d-42bd-b8a2-f8a134077343", "value": "HxDef" }, { "description": "HyperBro is a RAT that has been observed to target primarily within the gambling industries, though it has been spotted in other places as well. The malware typically consists of 3 or more components: a) a genuine loader typically with a signed certification b) a malicious DLL loader loaded from the former component via DLL hijacking c) an encrypted and compressed blob that decrypts to a PE-based payload which has its C2 information hardcoded within. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/", "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia", "https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", "https://www.intrinsec.com/apt27-analysis/", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", "https://www.youtube.com/watch?v=YCwyc6SctYs", "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", "https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "synonyms": [], "type": [] }, "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", "value": "HyperBro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperscrape", "https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/" ], "synonyms": [], "type": [] }, "uuid": "d532739b-327c-4c15-b272-e37e89183f0f", "value": "HYPERSCRAPE" }, { "description": "Sideloader used by EmissaryPanda", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", "https://twitter.com/ESETresearch/status/1594937054303236096", "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" ], "synonyms": [ "FOCUSFJORD", "Soldier", "Sysupdate" ], "type": [] }, "uuid": "84f43641-77bc-4dcb-a104-150e8574da22", "value": "HyperSSL (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hzrat", "https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2" ], "synonyms": [], "type": [] }, "uuid": "eaaebc38-73d8-48b7-9927-2d2523870795", "value": "HZ RAT (Windows)" }, { "description": "Icarus is a modular stealer software, written in .NET. One module is the open source r77 rootkit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icarus", "https://twitter.com/struppigel/status/1566685309093511170" ], "synonyms": [], "type": [] }, "uuid": "8f1225ba-a636-488b-a288-ab777708a205", "value": "Icarus" }, { "description": "According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.\r\n\r\nAs previously published, historically there has been just one version of IcedID that has remained constant since 2017.\r\n* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.\r\n* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.\r\n* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well", "https://isc.sans.edu/diary/29740", "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.justice.gov/opa/pr/foreign-national-pleads-guilty-role-cybercrime-schemes-involving-tens-millions-dollars", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure", "https://www.group-ib.com/blog/icedid", "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html", "https://nikpx.github.io/malware/analysis/2022/03/09/BokBot", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros", "https://unit42.paloaltonetworks.com/atoms/monsterlibra/", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/", "https://intel471.com/blog/malvertising-surges-to-distribute-malware", "https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2", "https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", "https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/", "https://0x0d4y.blog/icedid-technical-analysis/", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/", "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://twitter.com/felixw3000/status/1521816045769662468", "https://tccontre.blogspot.com/2021/01/", "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", "https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/", "https://netresec.com/?b=214d7ff", "https://eln0ty.github.io/malware%20analysis/IcedID/", "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html", "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://cert.gov.ua/article/39609", "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/", "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://www.youtube.com/watch?v=wMXD4Sv1Alw", "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader", "https://twitter.com/Unit42_Intel/status/1645851799427874818", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://github.com/f0wl/deICEr", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://blog.reconinfosec.com/an-encounter-with-ta551-shathak", "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/", "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240", "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/", "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html", "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", "https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/", "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid", "https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view", "https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/", "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan", "https://isc.sans.edu/diary/rss/28934", "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", "https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", "https://isc.sans.edu/diary/28636", "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", "https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://blog.group-ib.com/prometheus-tds", "https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf", "https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/", "https://forensicitguy.github.io/analyzing-icedid-document/", "https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/", "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/", "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", "https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html", "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1", "https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol", "https://twitter.com/embee_research/status/1592067841154756610?s=20", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/", "https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/", "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", "https://malwation.com/icedid-malware-technical-analysis-report/", "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", "https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/", "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", "https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://blog.minerva-labs.com/icedid-maas", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back", "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", "https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns", "https://www.youtube.com/watch?v=YEqLIR6hfOM", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", "https://www.team-cymru.com/post/from-chile-with-malware", "https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/", "https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", "https://blog.techevo.uk/analysis/binary/2024/03/17/carving-the-icedid-part-3.html", "https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion", "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ", "https://www.binarydefense.com/icedid-gziploader-analysis/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.ironnet.com/blog/ransomware-graphic-blog", "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", "https://www.elastic.co/security-labs/unpacking-icedid", "https://0x0d4y.blog/icedid-technical-analysis-of-x64-dll-version/", "https://ceriumnetworks.com/threat-of-the-month-icedid-malware/", "https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic", "https://www.youtube.com/watch?v=oZ4bwnjcXWg", "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", "https://github.com/telekom-security/icedid_analysis", "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/", "https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem", "https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection", "https://github.com/0xThiebaut/PCAPeek/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol" ], "synonyms": [ "BokBot", "IceID" ], "type": [] }, "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", "value": "IcedID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection", "https://threatray.com/blog/a-new-icedid-gziploader-variant/" ], "synonyms": [], "type": [] }, "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", "value": "IcedID Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", "http://www.kz-cert.kz/page/502", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf" ], "synonyms": [ "Fucobha" ], "type": [] }, "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", "value": "Icefog" }, { "description": "IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.\r\n\r\nThe v1 was written in AutoIT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icexloader", "https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim" ], "synonyms": [], "type": [] }, "uuid": "eb1b3335-9002-49ad-b917-fcc188556d49", "value": "win.icexloader" }, { "description": "According to nao_sec, this malware is an IIS backdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_cache", "https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html" ], "synonyms": [], "type": [] }, "uuid": "d82b5e51-9785-40cd-b4f5-e47a6eb1bfaa", "value": "IceCache" }, { "description": "According to nao_sec, this malware is a simple passive-mode backdoor that is installed as a service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_event", "https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html" ], "synonyms": [], "type": [] }, "uuid": "d5037590-7753-401e-8572-b7797dece3bb", "value": "IceEvent" }, { "description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", "https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/", "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus", "https://securelist.com/ice-ix-not-cool-at-all/29111/", "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/" ], "synonyms": [], "type": [] }, "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", "value": "Ice IX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown", "https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" ], "synonyms": [], "type": [] }, "uuid": "4f7ae3da-948c-4f74-8229-d5d7461f9c7d", "value": "IconDown" }, { "description": "Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer", "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise", "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack" ], "synonyms": [], "type": [] }, "uuid": "24fed92f-7e8f-449f-857f-d409d3bf8b48", "value": "IconicStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart" ], "synonyms": [ "Troxen" ], "type": [] }, "uuid": "bcc8b6ea-9295-4a22-a70d-422b1fd9814e", "value": "IcyHeart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", "https://isc.sans.edu/diary/22766" ], "synonyms": [], "type": [] }, "uuid": "3afecded-3461-45f9-8159-e8328e56a916", "value": "IDKEY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/", "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf" ], "synonyms": [], "type": [] }, "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", "value": "IISniff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iispy", "https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/", "https://blog.talosintelligence.com/dragon-rank-seo-poisoning/" ], "synonyms": [ "BadIIS" ], "type": [] }, "uuid": "74afd7ae-8349-4186-9c85-82a45a2486c9", "value": "IISpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imap_loader", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "ffcd59c0-56d0-4693-9804-e46e5dcd21ce", "value": "IMAPLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", "value": "Imecab" }, { "description": "MITRE describes Imminent Monitor as a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html", "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/", "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" ], "synonyms": [], "type": [] }, "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", "value": "Imminent Monitor RAT" }, { "description": "ZScaler describes Immortal Stealer as a windows malware written in .NET designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.immortal_stealer", "https://www.zscaler.com/blogs/research/immortal-information-stealer" ], "synonyms": [], "type": [] }, "uuid": "5f688e85-5f33-4ae6-880a-fc2e5146dd28", "value": " Immortal Stealer" }, { "description": "ImprudentCook is an HTTP(S) downloader.\r\n\r\nIt was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021. \r\n\r\nIt uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.\r\n\r\nIt’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).\r\n\r\nIt contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:\r\n\r\n1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__\r\nutma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_\r\nenabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo\r\n\r\n2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_\r\nblog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain\r\n\r\nIt contains a string, \"5.40\" or \"5.60\", looking like version information.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://asec.ahnlab.com/ko/22975/" ], "synonyms": [], "type": [] }, "uuid": "76269425-73c2-4ce5-aab5-da744ad6bc1f", "value": "ImprudentCook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.incontroller", "https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan", "https://twitter.com/silascutler/status/1514366443277766656" ], "synonyms": [], "type": [] }, "uuid": "3ed3e880-1b93-4ca2-9e9d-0e429c4c895f", "value": "INCONTROLLER" }, { "description": "Keylogger written in Visual Basic dating back to at least 2012.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.incubator", "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/" ], "synonyms": [], "type": [] }, "uuid": "b03201bd-8307-4c66-915e-d8f623084abe", "value": "Incubator" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.indigodrop", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html" ], "synonyms": [], "type": [] }, "uuid": "e98b19ce-82c3-472d-98d1-d81341af4267", "value": "IndigoDrop" }, { "description": "A ransomware that emerged in April 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy", "https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware" ], "synonyms": [], "type": [] }, "uuid": "69fc6a53-3ef1-47e8-bcdb-e300d2a972a7", "value": "Industrial Spy" }, { "description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://cert.gov.ua/article/39518", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://sos-vo.org/sites/sos-vo.org/files/2024-04/HoTSoS2024_TaleOfTwoIndustroyers.pdf", "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://en.wikipedia.org/wiki/Industroyer" ], "synonyms": [ "Crash", "CrashOverride" ], "type": [] }, "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", "value": "Industroyer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", "https://twitter.com/silascutler/status/1513870210398363651", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://pylos.co/2022/04/23/industroyer2-in-perspective/", "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/", "https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://blog.scadafence.com/industroyer2-attack", "https://cert.gov.ua/article/39518", "https://sos-vo.org/sites/sos-vo.org/files/2024-04/HoTSoS2024_TaleOfTwoIndustroyers.pdf", "https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/", "https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure", "https://www.mandiant.com/resources/blog/gru-disruptive-playbook" ], "synonyms": [], "type": [] }, "uuid": "fa54359c-4a3f-45ea-a941-f2105aa27ef4", "value": "INDUSTROYER2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.inferno", "https://github.com/LimerBoy/Inferno" ], "synonyms": [], "type": [] }, "uuid": "7638ac2e-0cdc-4101-8e3d-54b7b74a9c92", "value": "Inferno" }, { "description": "InfinityLock ransomware is a type of malicious software that encrypts a victim's files and demands a ransom payment in order to decrypt them. It is spread through phishing emails and malicious websites. Once a computer is infected with InfinityLock, it encrypts all important files, such as documents, photos, and videos. It then displays a message that demands the victim pay a ransom of $1,000 in Bitcoin in order to decrypt the files. If the victim does not pay the ransom, the files will be lost permanently.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infinitylock", "https://anti-spyware-101.com/remove-infinitylock-ransomware" ], "synonyms": [], "type": [] }, "uuid": "37fca614-e29a-4029-8afd-d3de61aa3ba0", "value": "InfinityLock" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infodot", "https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "e0ce5055-45cd-46d2-971f-bb3904ec43a1", "value": "InfoDot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", "https://research.checkpoint.com/2021/after-lightning-comes-thunder/", "https://cloud.tencent.com/developer/article/1738806", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/" ], "synonyms": [ "Foudre" ], "type": [] }, "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", "value": "Infy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.inlock", "https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants" ], "synonyms": [], "type": [] }, "uuid": "3071e2d4-c692-4054-a7bf-db9af6fe3b63", "value": "Inlock" }, { "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" ], "synonyms": [], "type": [] }, "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", "value": "InnaputRAT" }, { "description": "InnifiRAT is coded in .NET and targets personal data on infected devices, with it's top priority appearing to be bitcoin and litecoin wallet data.\r\n\r\nInffiRAT also includes a backdoor which allows attackers to control the infected host remotely. Possibilities include loggin key stroke, taking pictures with webcam, accessing confidential information, formatting drives, and more.\r\n\r\nIt attempts to steal browser cookies to steal usernames and passwords and monitors the users activities with screenshot functionality. \r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.innfirat", "https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more" ], "synonyms": [], "type": [] }, "uuid": "b6aec7a7-7ebc-4aad-bcdf-1c3cb7044e3c", "value": "win.innfirat" }, { "description": "ESET noticed attacks against aerospace and military companies in Europe and the Middle East that took place between September and December 2019, which featured this family. They found a number of hints that points towards Lazarus as potential origin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.interception", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" ], "synonyms": [], "type": [] }, "uuid": "fa022849-248c-4620-86b4-2a36c704b288", "value": "Interception (Windows)" }, { "description": "According to Cyble, The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invicta_stealer", "https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/" ], "synonyms": [], "type": [] }, "uuid": "00a078bf-90db-4275-b7bd-0da757dd2284", "value": "Invicta Stealer" }, { "description": "InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. \r\nThe malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.\r\nMalware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.\r\n\r\nThe smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.\r\n\r\nThe second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [], "type": [] }, "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", "value": "InvisiMole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ipstorm", "https://maldbg.com/ipstorm-golang-malware-windows" ], "synonyms": [], "type": [] }, "uuid": "c32661f5-8281-424e-9726-c5beb1ab2c5e", "value": "IPStorm (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironcat", "https://aaronrosenmund.com/blog/2020/09/26/ironcat-ransmoware/", "https://twitter.com/demonslay335/status/1308827693312548864" ], "synonyms": [], "type": [] }, "uuid": "c6fc8419-afb1-4e99-a6cf-4288ead2381b", "value": "Ironcat" }, { "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "https://www.symantec.com/security-center/writeup/2015-122210-5128-99", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" ], "synonyms": [], "type": [] }, "uuid": "44599616-3849-4960-9379-05307287ff80", "value": "IRONHALO" }, { "description": "According to Mitre, IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironnetinjector", "https://unit42.paloaltonetworks.com/ironnetinjector/" ], "synonyms": [], "type": [] }, "uuid": "5ec639ab-f6c1-4cbb-87b1-d59344878e98", "value": "IronNetInjector" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironwind", "https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government" ], "synonyms": [], "type": [] }, "uuid": "91c94b56-68c6-4249-a718-e0dc00de8fce", "value": "IronWind" }, { "description": "According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victim’s machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper", "https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/", "https://www.brighttalk.com/webcast/15591/534324", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", "https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/", "https://twitter.com/ESETresearch/status/1521910890072842240", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", "https://experience.mandiant.com/trending-evil-2/p/1", "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/" ], "synonyms": [ "LASAINRAW" ], "type": [] }, "uuid": "6fb2d1bb-f8a4-4f73-9ea7-a4a9aae4f609", "value": "IsaacWiper" }, { "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", "https://twitter.com/JAMESWT_MHT/status/1712783250446328114?t=iLKXzsZuS1TTa0i9sZFkQA&s=19", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/", "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://github.com/mlodic/ursnif_beacon_decryptor", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://lokalhost.pl/gozi_tree.txt", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/", "https://blog.group-ib.com/gozi-latest-ttps", "https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/", "https://www.bridewell.com/insights/news/detail/hunting-for-ursnif", "https://www.tgsoft.it/files/report/download.asp?id=568531345", "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", "https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072", "https://www.youtube.com/watch?v=KvOpNznu_3w", "http://benkow.cc/DreambotSAS19.pdf", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware", "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://www.cyberbit.com/new-ursnif-malware-variant/", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", "https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work", "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", "https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass", "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/", "https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef", "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", "https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy" ], "synonyms": [ "Gozi ISFB", "IAP", "Pandemyia" ], "type": [] }, "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", "value": "ISFB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", "http://www.clearskysec.com/ismagent/", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] }, "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", "value": "ISMAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", "http://www.clearskysec.com/greenbug/", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" ], "synonyms": [], "type": [] }, "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", "value": "ISMDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", "https://www.zscaler.com/blogs/research/ispy-keylogger", "https://www.secureworks.com/research/threat-profiles/gold-skyline" ], "synonyms": [], "type": [] }, "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", "value": "iSpy Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://twitter.com/malwrhunterteam/status/1085162243795369984" ], "synonyms": [], "type": [] }, "uuid": "c5cec575-325c-44b8-af24-4feb330eec8a", "value": "IsraBye" }, { "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" ], "synonyms": [], "type": [] }, "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", "value": "ISR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://www.secureworks.com/research/threat-profiles/bronze-express", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/" ], "synonyms": [ "NfLog RAT" ], "type": [] }, "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", "value": "IsSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ixware", "https://fr3d.hk/blog/ixware-kids-will-be-skids" ], "synonyms": [], "type": [] }, "uuid": "5710dffa-ec02-4e5c-848e-47af13f729d7", "value": "IXWare" }, { "description": "According to Kaspersky Labs, this malware tool set has been used by APT group GoldenJackal, which has been observed since 2019 and which usually targets government and diplomatic entities in the Middle East and South Asia with espionage. It consists of multiple components and is written in .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackal", "https://securelist.com/goldenjackal-apt-group/109677/" ], "synonyms": [], "type": [] }, "uuid": "5f601f0a-13f7-40b5-9cf1-2eb50d5bad64", "value": "Jackal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos" ], "synonyms": [], "type": [] }, "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", "value": "JackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", "http://malware-traffic-analysis.net/2017/05/16/index.html", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://clairelevin.github.io/malware/2023/02/14/jaff.html" ], "synonyms": [], "type": [] }, "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", "value": "Jaff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" ], "synonyms": [], "type": [] }, "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", "value": "Jager Decryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", "https://www.brighttalk.com/webcast/7451/538775", "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/", "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ "C3PRO-RACOON", "EQUINOX", "KCNA Infostealer", "Reconcyc" ], "type": [] }, "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", "value": "Jaku" }, { "description": "According to Zscaler, JanelaRAT is a heavily modified variant of BX RAT. Its focus is set on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature. With an adaptive approach utilizing dynamic socket configuration and exploiting DLL side-loading from trusted sources, JanelaRAT poses a significant threat. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.janela_rat", "https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech" ], "synonyms": [], "type": [] }, "uuid": "d8455b0c-1d0b-4857-8e6a-abc6892cf7b9", "value": "JanelaRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.janeleiro", "https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/", "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf" ], "synonyms": [], "type": [] }, "uuid": "2ebce129-d59e-401c-9259-9009d9b2d50f", "value": "Janeleiro" }, { "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jason", "https://twitter.com/P3pperP0tts/status/1135503765287657472", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://marcoramilli.com/2019/06/06/apt34-jason-project/" ], "synonyms": [], "type": [] }, "uuid": "e101a605-c30f-4222-9549-4745d0d769cd", "value": "jason" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", "value": "Jasus" }, { "description": "Ransomware written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry", "https://twitter.com/0xffff0800/status/1102078898320302080", "https://twitter.com/IdoNaor1/status/1101936940297924608" ], "synonyms": [], "type": [] }, "uuid": "fea703ec-9b24-4119-96b3-7ae6bec3b203", "value": "JCry" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jeno", "https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html" ], "synonyms": [ "Jest", "Valeria" ], "type": [] }, "uuid": "a1d7e117-4ca9-4d67-a4dd-53626827ed2f", "value": "Jeno" }, { "description": "JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.\r\n\r\nThe malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.\r\n\r\nJessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol \".?AVCHttpConn@@\", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea", "https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html", "https://securelist.com/lazarus-trojanized-defi-app/106195/", "https://asec.ahnlab.com/en/57685/" ], "synonyms": [], "type": [] }, "uuid": "8f286f97-30c8-4281-887b-9cbede9f1e1e", "value": "JessieConTea" }, { "description": "Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/01/jhonerat.html", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "6dd8c953-f500-46dd-bacf-78772222f011", "value": "JhoneRAT" }, { "description": "According to PCrisk, Jigsaw is ransomware that uses the AES algorithm to encrypt various files stored on computers. Targeted files include .jpg, .docx, .mp3, .mp4, and many others.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw", "https://threatmon.io/solving-the-puzzle-reversing-the-new-stealer-jigsaw/" ], "synonyms": [], "type": [] }, "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", "value": "Jigsaw" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" ], "synonyms": [], "type": [] }, "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", "value": "Jimmy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jinxloader", "https://yaraify.abuse.ch/yarahub/rule/mal_jinxv2loader/" ], "synonyms": [], "type": [] }, "uuid": "76e3447a-124a-4eb1-8968-fbe0818b280a", "value": "JinxLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [], "type": [] }, "uuid": "8d3ed9af-c136-47a4-a0d2-50c8248435a4", "value": "JLORAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [], "type": [] }, "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", "value": "Joanap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" ], "synonyms": [], "type": [] }, "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", "value": "Joao" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jobcrypter", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots" ], "synonyms": [], "type": [] }, "uuid": "30c047ea-27c9-4b01-8532-bcaa661be85f", "value": "win.JobCrypter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ], "synonyms": [], "type": [] }, "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", "value": "Jolob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", "http://marcmaiffret.com/vault7/" ], "synonyms": [], "type": [] }, "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", "value": "JQJSNICKER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" ], "synonyms": [], "type": [] }, "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", "value": "JripBot" }, { "description": "JSOutProx is a sophisticated attack framework built using both Javascript and .NET. It uses the .NET (de)serialization feature to interact with a Javascript file which is the core module running on a victim machine. Once the malware is run on the victim, the framework can load several plugins performing additional malicious activities on the target.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/", "https://twitter.com/zlab_team/status/1208022180241530882", "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", "https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf", "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese", "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", "https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/", "https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse" ], "synonyms": [], "type": [] }, "uuid": "5e4fbe90-c043-4ac3-9fd5-d9e7d9bb173f", "value": "JSOutProx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader", "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor", "https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni", "https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files", "https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware", "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf", "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://www.mandiant.com/resources/evolution-of-fin7", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded", "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html" ], "synonyms": [], "type": [] }, "uuid": "5db89188-568d-40d2-9320-5fb4a06fbd51", "value": "JSSLoader" }, { "description": "As described on the Github repository page, \"A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\\SYSTEM\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato", "https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/", "https://github.com/ohpe/juicy-potato", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/", "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf", "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" ], "synonyms": [], "type": [] }, "uuid": "4dc0dccf-ac68-4464-b193-6519ffe00617", "value": "JuicyPotato" }, { "description": "According to FireEye, JUMPALL is a malware dropper that has been observed \r\ndropping HIGHNOON/ZXSHELL/SOGU.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jumpall", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "a08db33d-4c37-4075-bd49-c3ab66a339db", "value": "JUMPALL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupiter", "https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/", "https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499" ], "synonyms": [ "EarlyRAT" ], "type": [] }, "uuid": "47baaed8-073c-4a13-92dc-434210ea3cd0", "value": "Jupiter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", "value": "KAgent" }, { "description": "A Telegram bot with browser stealing capabilities, written using the .NET framework.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kami", "https://twitter.com/jaydinbas/status/1604918636422070289" ], "synonyms": [], "type": [] }, "uuid": "d78ade16-d038-44b6-adfa-2439dcaf4d87", "value": "Kami" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kapeka", "https://cert.gov.ua/article/6278706", "https://www.ctfiot.com/183017.html", "https://threatmon.io/understanding-the-kapeka-backdoor-detailed-analysis-by-apt44/", "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf", "https://threatmon.io/storage/understanding-the-kapeka-backdoor-detailed-analysis-by-apt44.pdf" ], "synonyms": [ "ICYWELL", "KNUCKLETOUCH", "QUEUESEED", "WRONGSENS" ], "type": [] }, "uuid": "f1a916da-ae8f-4a09-94cf-b93b6443d421", "value": "Kapeka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "https://www.secureworks.com/research/threat-profiles/iron-liberty" ], "synonyms": [ "Karagny" ], "type": [] }, "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", "value": "Karagany" }, { "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" ], "synonyms": [], "type": [] }, "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", "value": "Kardon Loader" }, { "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/", "https://research.checkpoint.com/banking-trojans-development/" ], "synonyms": [], "type": [] }, "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "value": "Karius" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", "https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/", "https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", "https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/", "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "synonyms": [ "CACTUSPIPE", "MailDropper", "OILYFACE" ], "type": [] }, "uuid": "a45c16d9-6945-428c-af46-0436903f9329", "value": "Karkoff" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware", "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", "https://www.youtube.com/watch?v=hgz5gZB3DxE" ], "synonyms": [], "type": [] }, "uuid": "2667c9a6-4811-4535-95a1-3b75ba853a03", "value": "Karma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" ], "synonyms": [], "type": [] }, "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", "value": "KasperAgent" }, { "description": "Trend Micro describes this as a Ransomware with possible ties to BlackMatter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasseika", "https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html" ], "synonyms": [], "type": [] }, "uuid": "5042b9a3-e0f1-4807-9e54-779e5de17beb", "value": "Kasseika" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://twitter.com/msftsecintel/status/1681695399084539908", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", "https://youtu.be/SW8kVkwDOrc?t=24706", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://cert.gov.ua/article/5213167", "https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/", "https://www.epicturla.com/blog/sysinturla", "https://securelist.com/it-threat-evolution-q2-2023/110355/", "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", "https://securelist.com/sunburst-backdoor-kazuar/99981/" ], "synonyms": [], "type": [] }, "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", "value": "Kazuar" }, { "description": "According to Karsten Hahn, a straightforward loader that runs assemblies from images.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazyloader", "https://twitter.com/struppigel/status/1501105224819392516" ], "synonyms": [], "type": [] }, "uuid": "a6f86df6-d822-4143-bdfe-149e70bcf1a0", "value": "KazyLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge", "https://us-cert.cisa.gov/ncas/alerts/aa21-336a" ], "synonyms": [], "type": [] }, "uuid": "77c4a0e7-7ee1-446a-bc5d-8dd596d9d5fc", "value": "KDC Sponge" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://intel471.com/blog/a-brief-history-of-ta505" ], "synonyms": [], "type": [] }, "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", "value": "Kegotip" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kekw", "https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html" ], "synonyms": [ "KEKW-Locker" ], "type": [] }, "uuid": "b178de96-14a3-49f1-a957-c83f86e23e83", "value": "KEKW" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", "https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet", "https://en.wikipedia.org/wiki/Kelihos_botnet", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/", "https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/" ], "synonyms": [], "type": [] }, "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, { "description": "Stealer written in Python, available as open source on Github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kematian", "https://www.linkedin.com/posts/threatmon_kematian-stealer-technical-malware-analysis-ugcPost-7219295620807696384-8bde?utm_source=share&utm_medium=member_desktop", "https://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/" ], "synonyms": [], "type": [] }, "uuid": "e03bdd1c-42cc-4483-ac2d-177ed62a0cf5", "value": "Kematian Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keona", "https://twitter.com/3xp0rtblog/status/1536704209760010241" ], "synonyms": [], "type": [] }, "uuid": "b74ad48b-ac26-4748-adac-b824defbe315", "value": "Keona" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", "https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf", "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", "https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7", "https://blog.cystack.net/word-based-malware-attack/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "bd9e21d1-7da3-4699-816f-0e368a63bc18", "value": "KerrDown" }, { "description": "Ketrican is a backdoor trojan used by APT 15.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf" ], "synonyms": [], "type": [] }, "uuid": "86cd2563-b343-4cce-ac2d-a17afbc77dfd", "value": "Ketrican" }, { "description": "Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum", "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" ], "synonyms": [], "type": [] }, "uuid": "99d6cb80-bae2-4a97-8ec7-401f9570f237", "value": "Ketrum" }, { "description": "KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase", "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/", "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/", "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/", "https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017", "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/", "https://voidsec.com/keybase-en/", "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html" ], "synonyms": [ "Kibex" ], "type": [] }, "uuid": "8a7bb20e-7e90-4330-8f53-744bd5519f6f", "value": "KeyBase" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", "https://citizenlab.ca/2016/11/parliament-keyboy/", "https://www.secureworks.com/research/threat-profiles/bronze-hobart", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/" ], "synonyms": [ "TSSL" ], "type": [] }, "uuid": "28c13455-7f95-40a5-9568-1e8732503507", "value": "KeyBoy" }, { "description": "According to Walmart Global Tech, Keyhole is a multi-functional VNC/Backconnect component used extensively by IcedID/Anubis. While the malware contains functionality that has been previously reported on as typical VNC and HDESK capabilities, a general lack of technical information appears to exist around some of the expanded functionality currently present.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyhole", "https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03" ], "synonyms": [], "type": [] }, "uuid": "283dcc47-975a-402c-9dd8-b2d5f7d9eee7", "value": "Keyhole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", "https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://twitter.com/smoothimpact/status/773631684038107136" ], "synonyms": [], "type": [] }, "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", "value": "APT3 Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A", "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" ], "synonyms": [], "type": [] }, "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw" ], "synonyms": [], "type": [] }, "uuid": "d073b11a-a941-48b9-8e88-b59ffab9fcda", "value": "KGH_SPY" }, { "description": "A compact ransomware written in .NET and delivered as follow-up to Log4J exploitation, targeting Windows servers. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khonsari", "https://assets.virustotal.com/reports/2021trends.pdf", "https://cloudsek.com/technical-analysis-of-khonsari-ransomware-campaign-exploiting-the-log4shell-vulnerability/", "https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks" ], "synonyms": [], "type": [] }, "uuid": "76a7c43f-73d7-4f4f-acac-1fcaa150bf72", "value": "Khonsari" }, { "description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor", "https://unit42.paloaltonetworks.com/atoms/rancortaurus/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/" ], "synonyms": [], "type": [] }, "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", "value": "KHRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", "value": "Kikothac" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killav", "https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/", "https://cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", "https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", "https://www.mandiant.com/resources/unc2596-cuba-ransomware" ], "synonyms": [ "BURNTCIGAR" ], "type": [] }, "uuid": "ad6ac685-e13f-4522-9805-644f82818347", "value": "KillAV" }, { "description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt", "https://www.secureworks.com/research/threat-profiles/iron-viking", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "https://attack.mitre.org/groups/G0034", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", "value": "KillDisk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killsomeone", "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/" ], "synonyms": [], "type": [] }, "uuid": "4d431d90-9dd5-4a77-9084-c010d6504f78", "value": "KilllSomeOne" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimjongrat", "https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F" ], "synonyms": [], "type": [] }, "uuid": "61edd17b-322d-45dc-a6a0-31c13ec2338e", "value": "KimJongRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky", "https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign", "https://asec.ahnlab.com/en/37396/", "https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9", "https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html", "https://threatmon.io/unraveling-the-layers-analysis-of-kimsukys-multi-staged-cyberattack/", "https://asec.ahnlab.com/en/30532/", "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", "https://blog.alyac.co.kr/2347", "https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://asec.ahnlab.com/en/53046/", "https://blog.prevailion.com/2019/09/autumn-aperture-report.html" ], "synonyms": [], "type": [] }, "uuid": "860643d6-5693-4e4e-ad1f-56c49faa10a7", "value": "Kimsuky" }, { "description": "According to Sophis, the botnet has been active since 2018, initially, the botmasters operated DDoS tools and backdoors, but later moved on to cryptocurrency miners. They use a DGA to automatically change the hosting\r\ndomains every week.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer", "https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf", "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", "https://news.sophos.com/en-us/2020/06/09/kingminer-report/", "https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://asec.ahnlab.com/en/32572/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "04d95343-fd44-471d-bfe7-908994a98ea7", "value": "Kingminer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html", "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://github.com/nyx0/KINS" ], "synonyms": [ "Kasper Internet Non-Security", "Maple" ], "type": [] }, "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", "value": "KINS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html" ], "synonyms": [], "type": [] }, "uuid": "6c585194-96d3-463d-ac21-aa942439cc26", "value": "KIVARS (Windows)" }, { "description": "Microsoft describes that threat actor ZINC is using Klackring as a malware dropped by ComeBacker, both being used to target security researchers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klackring", "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/" ], "synonyms": [], "type": [] }, "uuid": "03a4eb90-8d88-49c7-a973-2201115ea5a8", "value": "Klackring" }, { "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ "Joglog", "Parasite" ], "type": [] }, "uuid": "618b6f23-fc83-4aff-8b0a-7f7138be625c", "value": "KleptoParasite Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klingon_rat", "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/" ], "synonyms": [], "type": [] }, "uuid": "5f501884-2c72-4780-aaa6-c6b65e84fad8", "value": "KlingonRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klogexe", "https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" ], "synonyms": [], "type": [] }, "uuid": "c71d0fcd-618d-49a5-a1e1-607e275a7ada", "value": "KLogEXE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html" ], "synonyms": [], "type": [] }, "uuid": "70459959-5a20-482e-b714-2733f5ff310e", "value": "KLRD" }, { "description": "According to Symantec, this is a ransomware written in Golang and obfuscated with Gobfuscate. The source code for Knight (originally known as Cyclops) was offered for sale on underground forums in February 2024 after Knight’s developers decided to shut down their operation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.knight", "https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware" ], "synonyms": [ "Cyclops" ], "type": [] }, "uuid": "1b251f88-4a9d-4edf-89d9-50c30d989a6f", "value": "Knight" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.knot", "https://twitter.com/malwrhunterteam/status/1345313324825780226" ], "synonyms": [], "type": [] }, "uuid": "0479b7cd-982e-430e-a96e-338aec8ae3cf", "value": "Knot" }, { "description": "Koadic is an open-source post-exploitation framework for Windows, created by zerosum0x0 and available on GitHub. The framework is written in Python and can generate JScript and VBScript payloads which can be written to disk or mapped directly into memory. Its capabilities include remote desktop access, command execution, lateral movement via SMB, file transfer, credential theft using Mimikatz, port scanning, and system information collection. It can also collect specific system information and targeted files based on their name or extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://github.com/zerosum0x0/koadic", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://blog.tofile.dev/2020/11/28/koadic_jarm.html", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.secureworks.com/research/threat-profiles/cobalt-ulster" ], "synonyms": [], "type": [] }, "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", "value": "Koadic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader", "https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer" ], "synonyms": [], "type": [] }, "uuid": "4163e613-40a0-4ca5-8ed2-2f014eb64bb3", "value": "Koi Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koistealer", "https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer" ], "synonyms": [], "type": [] }, "uuid": "9f6e745e-086b-4126-bc21-6e2a83115ddc", "value": "Koi Stealer" }, { "description": "A loader written in .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koivm", "https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/" ], "synonyms": [], "type": [] }, "uuid": "4b7c6af1-1980-452f-9405-e42d0066ff2d", "value": "KoiVM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", "https://twitter.com/struppigel/status/1249386991197847558", "https://twitter.com/struppigel/status/812726545173401600" ], "synonyms": [], "type": [] }, "uuid": "f7674d06-450a-4150-9180-afef94cce53c", "value": "KokoKrypt" }, { "description": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo", "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], "synonyms": [ "Splinter RAT" ], "type": [] }, "uuid": "116f4c5f-fd51-4e90-995b-f16c46523c06", "value": "KOMPROGO" }, { "description": "Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", "https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf", "https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", "https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/", "https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf", "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/", "https://wezard4u.tistory.com/6693", "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-227a", "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b", "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", "https://blog.alyac.co.kr/2474", "https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/", "https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3", "https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/", "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html", "https://threatmon.io/the-konni-apt-chronicle-tracing-their-intelligence-driven-attack-chain/", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/" ], "synonyms": [], "type": [] }, "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", "value": "Konni (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" ], "synonyms": [], "type": [] }, "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", "value": "KoobFace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html", "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", "https://securitykitten.github.io/2014/11/25/curious-korlia.html", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", "https://asec.ahnlab.com/1298", "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", "https://www.youtube.com/watch?v=_fstHQSK-kk", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf", "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-huntley", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/" ], "synonyms": [ "Bisonal" ], "type": [] }, "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", "value": "Korlia" }, { "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://0xchrollo.github.io/articles/unpacking-kovter-malware/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cybereason.com/blog/how-click-fraud-commodity-malware-transforms-into-an-advanced-threat", "https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update", "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md", "https://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless" ], "synonyms": [], "type": [] }, "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", "value": "Kovter" }, { "description": "KPOT is an information-stealing Trojan horse that can steal information from infected computers. It is distributed through phishing emails and malicious websites. Once executed on a computer, KPOT can steal passwords, credit card numbers, and other personal information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/", "https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/", "https://isc.sans.edu/diary/25934", "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://isc.sans.edu/diary/26010", "https://news.drweb.com/show/?i=13242&lng=en", "https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware", "https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [ "Khalesi", "Kpot" ], "type": [] }, "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", "value": "KPOT Stealer" }, { "description": "According to ESET, this malware family is a banking trojan and was active in Brazil until the middle of 2019. Its most noticeable characteristic was its usage of well-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans that mainly use custom encryption schemes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krachulka", "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/" ], "synonyms": [], "type": [] }, "uuid": "1ddcb067-e876-4eff-8bb7-e28c089d99a3", "value": "Krachulka" }, { "description": "A ransomware that was active in 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", "https://www.recordedfuture.com/kraken-cryptor-ransomware/", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/" ], "synonyms": [], "type": [] }, "uuid": "3d7ae6b9-8161-470e-a7b6-752151b21657", "value": "Kraken" }, { "description": "KrakenKeylogger is a .NET based Infostealer malware sold in Underground hacking forums", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krakenkeylogger", "https://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/", "https://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/" ], "synonyms": [], "type": [] }, "uuid": "6b15469a-64ff-4edc-99dd-60f7a277d5c1", "value": "KrakenKeylogger" }, { "description": "ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html", "https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/", "https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/", "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/" ], "synonyms": [ "BlackMoon" ], "type": [] }, "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", "value": "KrBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader" ], "synonyms": [], "type": [] }, "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", "value": "KrDownloader" }, { "description": "Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim's computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", "https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/", "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://twitter.com/3xp0rtblog/status/1294157781415743488", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", "https://intel471.com/blog/privateloader-malware", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html" ], "synonyms": [ "Osiris" ], "type": [] }, "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", "value": "Kronos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kryptocibule", "https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/" ], "synonyms": [], "type": [] }, "uuid": "8039c56c-3be1-4344-81cf-6c21b06bbaa6", "value": "KryptoCibule" }, { "description": "A keylogger used by Turla.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t", "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/" ], "synonyms": [], "type": [] }, "uuid": "aa93d030-abef-4215-bc9e-6c7483562d19", "value": "KSL0T" }, { "description": "According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ktlv_door", "https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html" ], "synonyms": [], "type": [] }, "uuid": "c9d1948b-1db0-4d99-8a25-c2deb7e0030c", "value": "KTLVdoor (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" ], "synonyms": [ "Barys", "Gofot", "Kuaibpy" ], "type": [] }, "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", "value": "Kuaibu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuiper", "https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "3b8fb979-154f-434e-8bc1-a2836d9defe9", "value": "Kuiper (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" ], "synonyms": [], "type": [] }, "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", "value": "Kuluoz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", "value": "Kurton" }, { "description": "Cofense characterizes Kutaki as a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki however works quite well against unhardened virtual machines and other analysis devices. By backdooring a legitimate application, it can fool unsophisticated detection methodologies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", "https://sequretek.com/kutaki-stealer-analysis/", "https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/" ], "synonyms": [], "type": [] }, "uuid": "ff40299b-dc45-4a1c-bfe2-3864682b8fea", "value": "Kutaki" }, { "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", "https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts", "https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/", "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/", "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html" ], "synonyms": [], "type": [] }, "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", "value": "Kwampirs" }, { "description": "According to its self-description, Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch a segment / b segment / C segment and cross network segment scanning, as well as URL, host and domain name list scanning.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ladon", "https://github.com/k8gege/Ladon", "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://asec.ahnlab.com/en/47455/", "https://asec.ahnlab.com/en/56236/" ], "synonyms": [], "type": [] }, "uuid": "5c63623b-aa84-41a5-9e3e-f338edf72291", "value": "Ladon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lalala_stealer", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", "https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/", "https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/", "https://twitter.com/luc4m/status/1276477397102145538" ], "synonyms": [], "type": [] }, "uuid": "62f1846f-3026-4824-b739-8f9ae5e9c8bb", "value": "LALALA Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", "https://twitter.com/_CPResearch_/status/1484502090068242433", "https://www.youtube.com/watch?v=jeLd-gw2bWo", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", "https://ti.qianxin.com/blog/articles/network-weapons-of-cia/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" ], "synonyms": [ "Plexor" ], "type": [] }, "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", "value": "Lambert (Windows)" }, { "description": "According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload", "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/" ], "synonyms": [ "OfficeCertTea" ], "type": [] }, "uuid": "a67f59fd-92dc-43b0-b9df-220384dbe5a4", "value": "LambLoad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" ], "synonyms": [], "type": [] }, "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", "value": "Lamdelin" }, { "description": "Clipboard stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laplas", "https://embee-research.ghost.io/laplas-clipper-infrastructure/", "https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/", "https://twitter.com/Gi7w0rm/status/1604999633792647169", "https://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/" ], "synonyms": [], "type": [] }, "uuid": "cc2c0c2a-b233-4d51-9e0a-ae91043c952c", "value": "LaplasClipper" }, { "description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", "http://malware-traffic-analysis.net/2017/04/25/index.html", "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access" ], "synonyms": [], "type": [] }, "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", "value": "LatentBot" }, { "description": "First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus", "https://www.embeeresearch.io/latrodectus-script-deobfuscation/", "https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus", "https://twitter.com/Myrtus0x0/status/1732997981866209550", "https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412", "https://any.run/malware-trends/latrodectus", "https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/", "https://embeeresearch.io/phishing-domain-analysis-with-passive-dns-latrodectus/", "https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/", "https://www.vmray.com/latrodectus-a-year-in-the-making/", "https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/", "https://github.com/leandrofroes/malware-research/blob/main/Latrodectus/latrodectus_static_unpacker.py", "https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39", "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/Latrodectus/Latrodectus%20%22Littlehw%22.md", "https://www.netskope.com/de/blog/latrodectus-rapid-evolution-continues-with-latest-new-payload-features", "https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/", "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice", "https://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea", "https://x.com/embee_research/status/1792826263738208343", "https://www.bitsight.com/blog/latrodectus-are-you-coming-back", "https://www.esentire.com/blog/danabots-latest-move-deploying-icedid", "https://www.netskope.com/blog/latrodectus-rapid-evolution-continues-with-latest-new-payload-features", "https://www.logpoint.com/en/blog/latrodectus-the-wrath-of-black-widow/", "https://blog.reveng.ai/latrodectus-distribution-via-brc4/", "https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/", "https://blog.krakz.fr/articles/latrodectus/", "https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign", "https://www.malware-traffic-analysis.net/2024/03/07/index.html", "https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/", "https://research.openanalysis.net/latrodectus/config/emulation/2024/09/30/latrodectus.html", "https://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims" ], "synonyms": [ "BLACKWIDOW", "IceNova", "Latrodectus", "Lotus" ], "type": [] }, "uuid": "841bb886-8c75-427f-9b57-537c546557e1", "value": "Latrodectus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo", "https://seclists.org/snort/2019/q3/343" ], "synonyms": [], "type": [] }, "uuid": "e1958a69-49c3-43a2-ba80-6e5cd5bbcd13", "value": "Laturo Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazardoor", "https://asec.ahnlab.com/ko/40495/", "https://asec.ahnlab.com/wp-content/uploads/2023/10/20231013_Lazarus_OP.Dream_Magic.pdf", "https://asec.ahnlab.com/ko/53832/" ], "synonyms": [], "type": [] }, "uuid": "1045b4f1-5a85-4448-a7a9-abc964bdae72", "value": "LazarDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarloader", "https://securelist.com/bluenoroff-methods-bypass-motw/108383/", "https://asec.ahnlab.com/ko/53832/" ], "synonyms": [], "type": [] }, "uuid": "42bce8d3-8705-44fb-bd88-4af16c6bd28f", "value": "LazarLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus_killdisk", "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" ], "synonyms": [ "KillDisk.NBO" ], "type": [] }, "uuid": "6f377d0b-9eaa-474c-8cf8-0718ee2b0efc", "value": "KillDisk (Lazarus)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", "https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken", "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" ], "synonyms": [], "type": [] }, "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", "value": "Laziok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/", "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/" ], "synonyms": [], "type": [] }, "uuid": "454db469-724a-4084-873c-906abf91d0d5", "value": "LazyCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot", "https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", "https://vblocalhost.com/uploads/VB2021-Park.pdf", "https://securelist.com/lazarus-trojanized-defi-app/106195/" ], "synonyms": [], "type": [] }, "uuid": "23dd327e-5d1d-4b75-993e-5d79d9fc0a70", "value": "LCPDot" }, { "description": "A further branch of the URSNIF collection of malware families. According to Mandiant, it no longer has focus on banking fraud but generic backdoor capabilities instead.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ldr4", "https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud" ], "synonyms": [], "type": [] }, "uuid": "c429622f-cbdf-47d6-88e8-091283ed5703", "value": "LDR4" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leakthemall", "https://id-ransomware.blogspot.com/2020/09/leakthemall-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "526add8e-ed78-4e8e-8d4c-152570fe566e", "value": "Leakthemall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [], "type": [] }, "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", "value": "Leash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lechiket", "https://artemonsecurity.blogspot.com/2012/07/investigation-interesting-kernel-mode.html" ], "synonyms": [], "type": [] }, "uuid": "3df8cf32-cbbf-44f4-8b7b-b1a977138956", "value": "Lechiket" }, { "description": "Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck", "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "https://cybotsai.com/lemon-duck-attack/", "https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/", "https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf", "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", "https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/", "https://success.trendmicro.com/solution/000261916", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/", "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", "https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html", "https://asec.ahnlab.com/en/31811/", "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/" ], "synonyms": [], "type": [] }, "uuid": "ff1896f4-8774-4c15-9353-918e3dc2e840", "value": "Lemon Duck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html" ], "synonyms": [ "shoco" ], "type": [] }, "uuid": "41da41aa-0729-428a-8b82-636600f8e230", "value": "Leouncia" }, { "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", "http://www.malware-traffic-analysis.net/2017/11/02/index.html", "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" ], "synonyms": [], "type": [] }, "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.letmeout", "http://blog.nsfocus.net/murenshark/" ], "synonyms": [], "type": [] }, "uuid": "007697bc-463e-4f90-93e3-8f8fdeff147a", "value": "LetMeOut" }, { "description": "LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader", "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families" ], "synonyms": [], "type": [] }, "uuid": "edf1bb94-cc6b-46fd-a922-18fd2a0f323f", "value": "LgoogLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc", "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf" ], "synonyms": [ "LEMPO" ], "type": [] }, "uuid": "ed825d46-be1e-4d36-b828-1b85274773dd", "value": "Liderc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightbunny", "https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated" ], "synonyms": [], "type": [] }, "uuid": "ea790924-8a81-4141-9e5c-14a205af170f", "value": "LIGHTBUNNY" }, { "description": "LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan. \r\n\r\nIn Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.\r\n\r\nBesides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:\r\n• ipconfig\r\n• net\r\n• netsh advfirewall firewall \r\n• netstat \r\n• reg\r\n• sc\r\n• ping (for both IPv4 and IPv6 protocols)\r\n• wmic process call create \r\n• nslookup \r\n• schstasks \r\n• systeminfo\r\n• arp\r\n\r\nThese native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.\r\n\r\nLightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" ], "synonyms": [], "type": [] }, "uuid": "4a00dbe4-91b7-4cfc-a6a2-528ccc9a4303", "value": "LightlessCan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securelist.com/apt-trends-report-q2-2018/86487/", "https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "NETTRANS", "XTRANS" ], "type": [] }, "uuid": "96b0b8fa-79b6-4519-a794-f6f325f96fd7", "value": "LightNeuron" }, { "description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightning_stealer", "https://blog.cyble.com/2022/04/05/inside-lightning-stealer/" ], "synonyms": [], "type": [] }, "uuid": "48a21f7a-3dc9-4524-9628-10ed0f762bb4", "value": "Lightning Stealer" }, { "description": "According to Mandiant, this is a tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightrail", "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" ], "synonyms": [], "type": [] }, "uuid": "32656e7e-6008-491b-b310-fb203a67b0c7", "value": "LIGHTRAIL" }, { "description": "According to Mandiant, LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP. It crafts configurable IEC-104 ASDU messages, to change the state of RTU IOAs to ON or OFF. This sample works in tandem with PIEHOP, which sets up the execution. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightwork", "https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response" ], "synonyms": [], "type": [] }, "uuid": "01cbe4cc-43ba-4bc8-9fee-9daf63dda335", "value": "LIGHTWORK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ligsterac", "https://securelist.com/atm-infector/74772/", "http://atm.cybercrime-tracker.net/index.php" ], "synonyms": [], "type": [] }, "uuid": "7d328c7b-7dc8-4891-bbd1-a05dedc8bac4", "value": "Ligsterac" }, { "description": "Lilith is a console-based ultra light-weight RAT developed in C++. It features a straight-forward set of commands that allows for near complete control of a machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group", "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://github.com/werkamsus/Lilith", "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/", "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research", "https://asec.ahnlab.com/ko/58215/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt" ], "synonyms": [], "type": [] }, "uuid": "c443dc36-f439-46d8-8ce7-07d3532a412b", "value": "Lilith" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limedownloader", "https://github.com/NYAN-x-CAT/Lime-Downloader" ], "synonyms": [], "type": [] }, "uuid": "a70436b1-559d-48af-836f-f46074cd8ef3", "value": "limedownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limeminer", "https://github.com/NYAN-x-CAT/Lime-Miner" ], "synonyms": [], "type": [] }, "uuid": "3819bc21-8c15-48ee-8e68-ee2a0c5f82a7", "value": "limeminer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limepad", "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations" ], "synonyms": [], "type": [] }, "uuid": "0cae4bcd-9656-434d-81c1-c55801b3eaa3", "value": "LimePad" }, { "description": " ## Description\r\n Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves. \r\n \r\n ---\r\n\r\n## Main Features\r\n\r\n- **.NET**\r\n - Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n - Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n - Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n - The communication between server & client is encrypted with AES\r\n- **Spreading**\r\n - Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n - Low AV detection and undetected startup method\r\n- **Lightweight**\r\n - Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n - Uninstall itself if the machine is virtual to avoid scanning or analyzing \r\n- **Ransomware**\r\n - Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n - High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n - Creating a powerful DDOS attack to make an online service unavailable\r\n- **Crypto Stealer**\r\n - Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n - Prevents user from accessing their Windows GUI \r\n - **And more**\r\n - On Connect Auto Task\r\n\t- Force enable Windows RDP\r\n\t- Persistence\r\n - File manager\r\n - Passowrds stealer\r\n - Remote desktop\r\n - Bitcoin grabber\r\n - Downloader\r\n - Keylogger", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://any.run/cybersecurity-blog/limerat-malware-analysis/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html", "https://lab52.io/blog/apt-c-36-recent-activity-analysis/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/", "https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/", "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", "https://www.youtube.com/watch?v=x-g-ZLeX8GM", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/", "https://github.com/NYAN-x-CAT/Lime-RAT/", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns" ], "synonyms": [], "type": [] }, "uuid": "771dbe6a-3f01-4bd4-8edd-070b2eb9df66", "value": "LimeRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" ], "synonyms": [], "type": [] }, "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", "value": "Limitail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "9a66df8d-ce65-49d6-a648-c1a5ea58cbc2", "value": "LinseningSvr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liontail", "https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/", "https://darksys0x.net/Analysis-and-Reversing-of-srvnet2sys/" ], "synonyms": [], "type": [] }, "uuid": "bad7ba1a-f945-436a-82ce-f125c82e2164", "value": "LIONTAIL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [], "type": [] }, "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", "value": "Listrix" }, { "description": "According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic. \r\nESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke", "https://norfolkinfosec.com/looking-back-at-liteduke/", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" ], "synonyms": [], "type": [] }, "uuid": "ae7352bd-86e9-455d-bdc3-0567886a8392", "value": "LiteDuke" }, { "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", "https://github.com/zettabithf/LiteHTTP", "https://viriback.com/recent-litehttp-activities-and-iocs/", "https://malware.news/t/recent-litehttp-activities-and-iocs/21053" ], "synonyms": [], "type": [] }, "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", "value": "LiteHTTP" }, { "description": "According to PCrisk, LOBSHOT is a type of malware with a feature called hVNC (Hidden Virtual Network Computing) that allows attackers to access a victim's computer without being noticed. The hVNC component is effective in evading fraud detection systems. Also, LOBSHOT is being used to carry out financial crimes through the use of banking trojan and information-stealing functionalities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot", "https://research.openanalysis.net/lobshot/bot/hvnc/triage/2023/07/16/lobshot.html", "https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware" ], "synonyms": [], "type": [] }, "uuid": "c30db30e-e29a-4f62-bda0-c284fa7c6f6d", "value": "LOBSHOT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", "https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group", "https://www.ic3.gov/Media/News/2022/220204.pdf", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf", "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421", "https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/", "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", "https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/", "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79", "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.seqrite.com/blog/indian-power-sector-targeted-with-latest-lockbit-3-0-variant/", "https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", "https://securelist.com/new-ransomware-trends-in-2022/106457/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", "https://resources.prodaft.com/wazawaka-report", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://www.netskope.com/blog/netskope-threat-coverage-lockbit", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit", "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/", "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf", "https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/", "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up", "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", "https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.glimps.fr/lockbit3-0/", "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/", "https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/", "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354", "https://Page-Not-Found-404.com", "https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", "https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://www.connectwise.com/resources/lockbit-profile", "https://intel471.com/blog/privateloader-malware", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://asec.ahnlab.com/en/35822/", "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/", "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", "https://twitter.com/fs0c131y/status/1787852663595454807?t=xQbXF31IBgJ7c7tzTpTtlg", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers", "https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/", "https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://analyst1.com/ransomware-diaries-volume-1/", "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", "https://www.intrinsec.com/alphv-ransomware-gang-analysis", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", "https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/", "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/", "https://blog.lexfo.fr/lockbit-malware.html", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://ke-la.com/lockbit-2-0-interview-with-russian-osint/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511", "https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness", "https://asec.ahnlab.com/en/41450/", "https://www.youtube.com/watch?v=C733AyPzkoc", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/", "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", "https://www.glimps.fr/dcouverte-dune-nouvelle-version-du-ramsomware-lockbit/", "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", "https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation", "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", "https://blog.calif.io/p/dissecting-lockbit-v3-ransomware", "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants", "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511", "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", "https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/", "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions", "https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/", "https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/", "https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://id-ransomware.blogspot.com/search?q=lockbit", "https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085", "https://github.com/prodaft/malware-ioc/tree/master/PTI-257", "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb", "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/", "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/", "https://securelist.com/crimeware-report-lockbit-switchsymb/110068/", "https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/LockBit_3.0/LockBit%20Technical%20Analysis%20Report.pdf", "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/", "https://github.com/EmissarySpider/ransomware-descendants", "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware", "https://asec.ahnlab.com/ko/39682/", "https://analyst1.com/this-forum-is-a-bunch-of-communists-and-they-set-me-up-lockbit-spills-the-tea-regarding-their-recent-ban-on-russian-speaking-forums/", "https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/", "https://twitter.com/MsftSecIntel/status/1522690116979855360", "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/", "https://security.packt.com/understanding-lockbit/", "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/", "https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/", "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/" ], "synonyms": [ "ABCD Ransomware" ], "type": [] }, "uuid": "fd035735-1ab9-419d-a94c-d560612e970b", "value": "LockBit (Windows)" }, { "description": "According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", "https://www.youtube.com/watch?v=o6eEN0mUakM", "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/", "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "https://blog.talosintelligence.com/lockergoga/", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.abuse.io/lockergoga.txt", "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure" ], "synonyms": [], "type": [] }, "uuid": "a4a6469d-6753-4195-9635-f11d458525f9", "value": "LockerGoga" }, { "description": "A ransomware first observed in July 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile", "https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows", "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/", "https://twitter.com/VirITeXplorer/status/1428750497872232459", "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html", "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/", "https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" ], "synonyms": [], "type": [] }, "uuid": "97879260-ee50-4c7e-8d87-4bb134d1fdaf", "value": "LockFile" }, { "description": "Locky is a high profile ransomware family that first appeared in early 2016 and was observed being active until end of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its first version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus extension. The ransom amount is defined in BTC and depends on the actor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://vixra.org/pdf/2002.0183v1.pdf", "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/", "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html", "https://intel471.com/blog/a-brief-history-of-ta505", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", "https://dissectingmalwa.re/picking-locky.html", "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf" ], "synonyms": [], "type": [] }, "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", "value": "Locky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" ], "synonyms": [], "type": [] }, "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", "value": "Locky (Decryptor)" }, { "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" ], "synonyms": [], "type": [] }, "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", "value": "Locky Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" ], "synonyms": [], "type": [] }, "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", "value": "LockPOS" }, { "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", "https://blog.talosintelligence.com/get-a-loda-this/", "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/", "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/", "https://blog.talosintelligence.com/attributing-yorotrooper/", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/", "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", "https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered", "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", "https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html", "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html" ], "synonyms": [ "LodaRAT", "Nymeria" ], "type": [] }, "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", "value": "Loda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf", "https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf", "https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html", "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://blog-en.itochuci.co.jp/entry/2024/01/24/134100", "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", "https://twitter.com/jpcert_ac/status/1351355443730255872", "https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_6_minakawa-saika-kubokawa_en.pdf", "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/", "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/", "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", "https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html", "https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html", "https://www.youtube.com/watch?v=zSEySLeWrMQ", "https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html", "https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html", "https://www.macnica.co.jp/business/security/security-reports/pdf/cyberespionage_report_2023.pdf" ], "synonyms": [], "type": [] }, "uuid": "9429e1b3-31fb-4e52-ad78-e3d377f10fcb", "value": "LODEINFO" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", "value": "Logedrut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-11-16-logpos-new-point-of-sale-malware-using-mailslots.md" ], "synonyms": [], "type": [] }, "uuid": "2789b246-d762-4d38-8cc8-302293e314da", "value": "LogPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logtu", "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", "https://news.drweb.ru/show/?i=14177", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf" ], "synonyms": [], "type": [] }, "uuid": "eda979a7-89eb-4dcb-858d-8232e2c47d1e", "value": "Logtu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", "https://www.youtube.com/watch?v=VeoXT0nEcFU", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf", "https://habr.com/ru/amp/post/668154/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "15228ae0-26f9-44d8-8d6e-87b0bd2d2aba", "value": "LoJax" }, { "description": "LokiLocker is a .Net ransomware, which was seen first in August 2021. This malware is protected with NETGuard (modified ConfuserEX) using the additional KoiVM virtualization plugin.\r\nThe victims were observed ti be scattered around the world, with main concentation in Estern Europe and Asia (BlackBerry).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokilocker", "https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/", "https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/", "https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware", "https://asec.ahnlab.com/en/52570/" ], "synonyms": [], "type": [] }, "uuid": "3642aa5a-61b3-4de9-b124-8ecb8b53351d", "value": "LokiLocker" }, { "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", "https://news.sophos.com/en-us/2020/05/14/raticate/", "http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html", "http://reversing.fun/reversing/2021/06/08/lokibot.html", "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2", "https://www.youtube.com/watch?v=N0wAh26wShE", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/", "https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/", "https://www.youtube.com/watch?v=-FxyzuRv6Wg", "https://github.com/R3MRUM/loki-parse", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/", "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", "https://isc.sans.edu/diary/24372", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.logpoint.com/en/blog/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", "https://www.atomicmatryoshka.com/post/malware-headliners-lokibot", "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", "https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html", "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/", "https://www.youtube.com/watch?v=K3Yxu_9OUxU", "https://lab52.io/blog/a-twisted-malware-infection-chain/", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://ivanvza.github.io/posts/lokibot_analysis", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", "https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros", "https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf", "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/", "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://isc.sans.edu/diary/27282", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "http://reversing.fun/posts/2021/06/08/lokibot.html", "https://phishme.com/loki-bot-malware/", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations", "https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/", "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [ "Burkina", "Loki", "LokiBot", "LokiPWS" ], "type": [] }, "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "value": "Loki Password Stealer (PWS)" }, { "description": "According to ESET, this is a banking trojan that was active mainly in Mexico until the beginning of 2020, with builds for Brazil, Chile, and Colombia also having been identified.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokorrito", "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/" ], "synonyms": [], "type": [] }, "uuid": "5e8f3d59-15bc-492c-afdb-4b71e0417142", "value": "Lokorrito" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63", "https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/" ], "synonyms": [], "type": [] }, "uuid": "397bfb34-5643-4d21-a5b1-6950750fb89f", "value": "LOLSnif" }, { "description": "The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] }, "uuid": "08106bd2-975b-421c-8794-366452fb0109", "value": "LONGWATCH" }, { "description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper" ], "synonyms": [], "type": [] }, "uuid": "4b83ba50-7d50-48b4-bb70-fcbcacd23340", "value": "looChiper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback", "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage" ], "synonyms": [], "type": [] }, "uuid": "bb038b04-622b-4df6-b867-601284e8da0e", "value": "Lookback" }, { "description": "L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:\r\n\r\nDownload and execute\r\nUpdate\r\nOpen page (visible)\r\nOpen page (invisible)\r\nCmd\r\nKill process\r\nUpload file\r\nHTTP Flood\r\n\r\nL0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target's clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", "https://blog.ensilo.com/l0rdix-attack-tool", "https://www.bromium.com/decrypting-l0rdix-rats-c2/", "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py", "https://twitter.com/hexlax/status/1058356670835908610", "https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/" ], "synonyms": [ "lordix" ], "type": [] }, "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", "value": "L0rdix" }, { "description": "Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz", "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/", "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/", "https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/", "https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/", "https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20", "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware" ], "synonyms": [], "type": [] }, "uuid": "3ec79052-d8c0-49b2-9204-42f9d8f035f8", "value": "Lorenz" }, { "description": "Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loup", "https://twitter.com/r3c0nst/status/1295275546780327936", "https://twitter.com/Arkbird_SOLG/status/1295396936896438272" ], "synonyms": [], "type": [] }, "uuid": "8ab39736-68f4-4b51-9b48-7034da1cac71", "value": "Loup" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loupeloader", "https://www.virustotal.com/gui/file/b5c30a147d6529be8d37b9bce653d8eb8c9a1b723b2edcdf971ea2bb28097629" ], "synonyms": [], "type": [] }, "uuid": "163370d5-7fea-49ad-b511-9e6701e4eec8", "value": "LoupeLoader" }, { "description": "LOWBALL, uses the legitimate Dropbox cloud-storage\r\nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] }, "uuid": "484b9fd9-76c6-41af-a85b-189b0fc94909", "value": "LOWBALL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html", "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/", "https://www.mandiant.com/resources/apt41-us-state-governments" ], "synonyms": [ "PortReuse" ], "type": [] }, "uuid": "515d1318-c3b1-4d40-a321-31b3baf75414", "value": "LOWKEY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowzero", "https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf" ], "synonyms": [], "type": [] }, "uuid": "1efd4902-ff9e-4e71-8867-6eddb9bc456c", "value": "LOWZERO" }, { "description": "LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim's file system to store the downloaded payload. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.\r\n\r\nLPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it. \r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient", "https://securelist.com/unveiling-lazarus-new-campaign/110888/", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf", "https://securelist.com/lazarus-threatneedle/100803/", "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf", "https://vblocalhost.com/uploads/VB2021-Park.pdf" ], "synonyms": [ "LPEClientTea" ], "type": [] }, "uuid": "754c8f79-743b-49fc-971e-bcd60edef9d8", "value": "LPEClient" }, { "description": "This in Go written malware is lsass process memory dumper, which was custom developed by threat actors according to Security Joes. It has the capability to automatically exfiltrate the results to the free file transfer service \"transfer.sh\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lsassdumper", "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf" ], "synonyms": [], "type": [] }, "uuid": "f6e9f1f3-91ba-40af-aa2d-d0d5e824b791", "value": "lsassDumper" }, { "description": "According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detección de Lu0bot, ya que no causa síntomas significativos, como una grave disminución del rendimiento del sistema.\r\n\r\nEl programa malicioso funciona como un recolector de telemetría. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lu0bot", "https://bazaar.abuse.ch/browse/tag/Lu0Bot/", "https://any.run/cybersecurity-blog/lu0bot-analysis/", "https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/" ], "synonyms": [], "type": [] }, "uuid": "d81c068d-7420-40ee-ab50-5f29b2ccc314", "value": "Lu0Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luadream", "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/", "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/", "https://r136a1.dev/2023/09/22/more-on-dreamland/" ], "synonyms": [ "DreamLand" ], "type": [] }, "uuid": "a6fee19a-21e4-4e2c-9c1f-a38d0732f661", "value": "LuaDream" }, { "description": "According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.\r\n\r\nThis malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.\r\n\r\nThis malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer", "https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets" ], "synonyms": [], "type": [] }, "uuid": "e9693255-762b-447a-9dfa-2ea1a35fe39c", "value": "Luca Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lucifer", "https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/", "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" ], "synonyms": [], "type": [] }, "uuid": "54093130-035f-4f2c-b98c-a660156fbbda", "value": "Lucifer" }, { "description": "This family was previously tracked as PovertyStealer until it's actual name was identified via crime forums.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumar", "https://bazaar.abuse.ch/browse/signature/PovertyStealer/" ], "synonyms": [ "PovertyStealer" ], "type": [] }, "uuid": "f783ca5b-2c4e-479d-9af7-d0abd1eeeaff", "value": "Lumar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/" ], "synonyms": [ "LuminosityLink" ], "type": [] }, "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", "value": "Luminosity RAT" }, { "description": "Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor \"Shamel\", who goes by the alias \"Lumma\". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent \"TeslaBrowser/5.5\".\" The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma", "https://denwp.com/anatomy-of-a-lumma-stealer/", "https://research.checkpoint.com/2024/stargazers-ghost-network/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx", "https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/", "https://denwp.com/dissecting-lumma-malware/", "https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/", "https://twitter.com/sekoia_io/status/1572889505497223169", "https://viuleeenz.github.io/posts/2024/03/understanding-api-hashing-and-build-a-rainbow-table-for-lummastealer/", "https://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/", "https://gridinsoft.com/spyware/lumma-stealer", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware", "https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed", "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", "https://twitter.com/fumik0_/status/1559474920152875008", "https://www.intrinsec.com/lumma_stealer_actively_deployed_in_multiple_campaigns/", "https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7", "https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer", "https://www.esentire.com/blog/the-case-of-lummac2-v4-0", "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn", "https://censys.com/a-beginners-guide-to-hunting-open-directories/", "https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/", "https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/", "https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11", "https://www.trellix.com/blogs/research/how-attackers-repackaged-a-threat-into-something-that-looked-benign/", "https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer", "https://www.malware-traffic-analysis.net/2024/03/07/index.html", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://insights.loaderinsight.agency/posts/vidar-build-id-correlation/", "https://www.0x1c.zip/0001-lummastealer/", "https://twitter.com/Ishusoka/status/1614028229307928582", "https://www.youtube.com/watch?v=lmMA4WYJEOY", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/", "https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/" ], "synonyms": [ "LummaC2 Stealer" ], "type": [] }, "uuid": "a14270e4-2b5e-4a90-9ccd-0b68690dbc3e", "value": "Lumma Stealer" }, { "description": "According to ESET Research, this is a Outlook Add-In that can use email messages for its C&C communication. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunarmail", "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" ], "synonyms": [], "type": [] }, "uuid": "2b489032-f4c5-4fe2-a4ac-d8223fff48b8", "value": "LunarMail" }, { "description": " An uploader that can exfiltrate files to Dropbox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney", "https://twitter.com/MrDanPerez/status/1097881406661902337", "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" ], "synonyms": [], "type": [] }, "uuid": "fb0167e5-3457-46ec-a6d1-b8e4ad9bc89b", "value": "LunchMoney" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" ], "synonyms": [], "type": [] }, "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", "value": "Lurk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" ], "synonyms": [], "type": [] }, "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", "value": "Luzo" }, { "description": "This .NET written malware is used as backdoor using the dns protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using HTTP (.Net) and also one written in Golang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_dns_backdoor_dotnet", "https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor", "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "synonyms": [], "type": [] }, "uuid": "e7117036-5142-4a07-ae85-c3ddba7f1d75", "value": "Lyceum .NET DNS Backdoor" }, { "description": "This .Net written malware is used as backdoor using the http protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using DNS (.Net) and also one written in Golang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_dotnet", "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "synonyms": [], "type": [] }, "uuid": "92e533c5-b32a-411a-9fcc-733854c4a18c", "value": "Lyceum .NET TCP Backdoor" }, { "description": "This Golang written malware is used as backdoor using the http protocol by a state sponsored threat actor (TA). This backdoor is running in a loop of three stages: \r\n- Check the connectivity\r\n- Registration of the victim\r\n- Retrieval and execution of commands\r\nThis TA is using also variants .NET backdoors utilizing HTTP and DNS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_golang", "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "synonyms": [], "type": [] }, "uuid": "61fda7db-5e82-4e8c-a629-e8cc36151dec", "value": "Lyceum Golang HTTP Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html", "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html" ], "synonyms": [ "Adneukine", "Bomba Locker", "Lucky Locker" ], "type": [] }, "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", "value": "Lyposit" }, { "description": "According Zscaler, M00nD3V Logger has the ability to steal confidential information, such as browser passwords, FTP client passwords, email client passwords, DynDNS credentials, JDownloader credentials; capture Windows keystrokes; and gain access to the webcam and hook the clipboard. In all, it has the ability to steal passwords from 42 applications.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.m00nd3v", "https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger" ], "synonyms": [], "type": [] }, "uuid": "737a73d5-40a2-4779-a84b-bdbefd1af4c9", "value": "M00nD3V Logger" }, { "description": "Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv", "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", "https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py", "https://github.com/baderj/domain_generation_algorithms/blob/master/m0yv/dga.py", "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", "https://youtu.be/3RYbkORtFnk" ], "synonyms": [], "type": [] }, "uuid": "73db5c33-c05c-4835-af4d-9223516b0915", "value": "m0yv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.macamax", "https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html" ], "synonyms": [], "type": [] }, "uuid": "94dce4b9-69c9-4cc3-8377-dba04a162bc4", "value": "MACAMAX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.macaw", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/", "https://killingthebear.jorgetesta.tech/actors/evil-corp" ], "synonyms": [], "type": [] }, "uuid": "523883ea-b865-4713-b5ed-bb1a808f35cf", "value": "Macaw" }, { "description": "According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", "https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf", "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america", "https://securelist.com/el-machete/66108/", "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/", "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" ], "synonyms": [ "El Machete" ], "type": [] }, "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", "value": "Machete" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax" ], "synonyms": [], "type": [] }, "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", "value": "MadMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" ], "synonyms": [], "type": [] }, "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", "value": "Magala" }, { "description": "According to DCSO, this malware is written as a Extended Stored Procedure for a MSSQL server. The backdoor has capabilities to bruteforce logins to other MSSQL servers, adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maggie", "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01", "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/", "https://medium.com/@DCSO_CyTec/tracking-down-maggie-4d889872513d" ], "synonyms": [], "type": [] }, "uuid": "2e4a63ab-9a04-472f-aad0-3eb4835a4697", "value": "Maggie" }, { "description": "According to Talos, MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none. Talos thinks that the objective was to increase the complexity of the code, thus making human analysis harder. On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable. The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.\r\n\r\nMagicRAT provides the operator with a remote shell on the victim's system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint. The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat", "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html", "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.youtube.com/watch?v=nUjxH1gW53s" ], "synonyms": [], "type": [] }, "uuid": "ace607fa-d2ad-4097-aa01-0aa748644b8e", "value": "MagicRAT" }, { "description": "According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", "https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/", "https://asec.ahnlab.com/en/30645/", "https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/", "https://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people", "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/", "http://asec.ahnlab.com/1124", "https://www.youtube.com/watch?v=lqWJaaofNf4", "https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/", "https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/", "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/", "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", "https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/", "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/", "https://asec.ahnlab.com/en/41889/", "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", "https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware", "https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia", "https://asec.ahnlab.com/en/19273/", "https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/" ], "synonyms": [], "type": [] }, "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", "value": "Magniber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://zengo.com/bitcoin-ransomware-detective-ucsf/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/", "https://zero2auto.com/2020/05/19/netwalker-re/", "https://www.youtube.com/watch?v=q8of74upT_g", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/", "https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game", "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million", "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html", "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf", "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", "https://lopqto.me/posts/automated-dynamic-import-resolving", "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/", "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/", "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware", "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware", "https://www.ic3.gov/media/news/2020/200929-2.pdf", "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", "https://sites.temple.edu/care/ci-rw-attacks/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/", "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware", "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/" ], "synonyms": [ "Koko Ransomware", "NetWalker" ], "type": [] }, "uuid": "722aab64-a02a-40fc-8c05-6b0344fad9b8", "value": "Mailto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o", "https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/", "https://blog.group-ib.com/task", "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op", "https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf" ], "synonyms": [], "type": [] }, "uuid": "d41f513c-97e2-4588-a669-aa93b6378ef1", "value": "Mail-O" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/", "https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos" ], "synonyms": [], "type": [] }, "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", "value": "MajikPos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] }, "uuid": "996e73e9-b093-4987-9992-f52008e55b24", "value": "Makadocs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", "https://twitter.com/James_inthe_box/status/1046844087469391872" ], "synonyms": [], "type": [] }, "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", "value": "MakLoader" }, { "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop", "https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf", "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://twitter.com/siri_urz/status/1221797493849018368", "https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11" ], "synonyms": [], "type": [] }, "uuid": "db4ca498-5481-4b68-8024-edd51d552c38", "value": "Makop" }, { "description": "According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/", "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html" ], "synonyms": [], "type": [] }, "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", "value": "Maktub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", "value": "MalumPOS" }, { "description": "According to PCrisk, Mamba is an updated variant of high-risk ransomware called Phobos. After successful infiltration, Mamba encrypts stored files and appends filenames with the \".mamba\" extension plus the victim's unique ID and developer's email address.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", "https://www.ic3.gov/Media/News/2021/210323.pdf", "https://securelist.com/the-return-of-mamba-ransomware/79403/", "https://www.youtube.com/watch?v=LUxOcpIRxmg" ], "synonyms": [ "DiskCryptor", "HDDCryptor" ], "type": [] }, "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", "value": "Mamba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route", "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" ], "synonyms": [ "CryptoHost" ], "type": [] }, "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", "value": "ManameCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mango", "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/" ], "synonyms": [], "type": [] }, "uuid": "e3be5820-5cf9-4455-9b46-c88e7fbebd85", "value": "Mango" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", "https://www.youtube.com/watch?v=NFJqD-LcpIg", "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf" ], "synonyms": [ "junidor", "mengkite", "vedratve" ], "type": [] }, "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", "value": "Mangzamel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", "https://twitter.com/struppigel/status/811587154983981056" ], "synonyms": [], "type": [] }, "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", "value": "Manifestus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", "value": "ManItsMe" }, { "description": "Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka", "https://github.com/avast/ioc/tree/master/Manjusaka", "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html" ], "synonyms": [], "type": [] }, "uuid": "402a569c-6fc1-4ba3-b570-f85ce7538eef", "value": "Manjusaka (Windows)" }, { "description": "Ransomware family closely related to GlobeImposter, notable for its use of SHACAL-2 encryption algorithm.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa", "https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/", "https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html", "https://www.sangfor.com/blog/cybersecurity/alert-new-globeimposter-olympian-gods-20-coming" ], "synonyms": [], "type": [] }, "uuid": "9fe92a48-6822-4ec0-b52b-d089f98590ec", "value": "Maoloa" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", "value": "MAPIget" }, { "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] }, "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", "value": "Marap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa", "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", "https://defintel.com/docs/Mariposa_Analysis.pdf", "https://www.us-cert.gov/ics/advisories/ICSA-10-090-01" ], "synonyms": [ "Autorun", "Palevo", "Rimecud" ], "type": [] }, "uuid": "6adb6fa0-1974-4d24-9c39-e76d5356cf6a", "value": "Mariposa" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.markirat", "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" ], "synonyms": [], "type": [] }, "uuid": "c19ac191-a881-437f-ae82-7bec174590cb", "value": "MarkiRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marracrypt", "https://securitynews.sonicwall.com/xmlpost/marracrypt-ransomware-actively-spreading-in-the-wild/" ], "synonyms": [], "type": [] }, "uuid": "bbe77240-d8e5-41b5-88ac-e9a91aa54a13", "value": "MarraCrypt" }, { "description": "Ransomware written in Delphi.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars", "https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html" ], "synonyms": [ "MarsDecrypt" ], "type": [] }, "uuid": "0b71ab98-912a-47a5-a1e0-1d7bd4fe9a4e", "value": "Mars" }, { "description": "3xp0rt describes Mars Stealer as an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", "https://3xp0rt.com/posts/mars-stealer", "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", "https://cyberint.com/blog/research/mars-stealer/", "https://isc.sans.edu/diary/rss/28468", "https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html", "https://ke-la.com/information-stealers-a-new-landscape/", "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/", "https://resources.infosecinstitute.com/topic/mars-stealer-malware-analysis/", "https://x-junior.github.io/malware%20analysis/MarsStealer/", "https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view", "https://threatmon.io/mars-stealer-malware-analysis-threatmon/", "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", "https://cert.gov.ua/article/38606", "https://blog.morphisec.com/threat-research-mars-stealer" ], "synonyms": [], "type": [] }, "uuid": "a5c1a9bd-5c1c-4987-8844-2c38e7b83507", "value": "Mars Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.masad_stealer", "https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram" ], "synonyms": [], "type": [] }, "uuid": "8a85df9f-5295-4570-948a-67c2489bdd2d", "value": "Masad Stealer" }, { "description": "MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger", "https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/", "https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/", "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html", "https://fr3d.hk/blog/masslogger-frankenstein-s-creation", "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7", "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger", "https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html", "https://twitter.com/pancak3lullz/status/1255893734241304576" ], "synonyms": [], "type": [] }, "uuid": "e1a09bf8-974a-4cc4-9ffd-758bed7a785e", "value": "MASS Logger" }, { "description": "According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). This piece of software is designed to cause chain infections.\r\n\r\nSince it is used as a MaaS, both the malware it infiltrates into systems, and the attack reasons can vary - depending on the cyber criminals operating it. Matanbuchus has been observed being used in attacks against US universities and high schools, as well as a Belgian high-tech organization.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus", "https://www.cyberark.com/resources/all-blog-posts/inside-matanbuchus-a-quirky-loader", "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/", "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/", "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn", "https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a", "https://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/", "https://isc.sans.edu/diary/rss/28752", "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/", "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", "https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/", "https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html", "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf", "https://blog.cyber5w.com/matanbuchus-loader-analysis" ], "synonyms": [], "type": [] }, "uuid": "e30f2243-9e69-4b09-97ab-1643929b97ad", "value": "Matanbuchus" }, { "description": "Matiex Keylogger is being sold in the underground forums, due to their gained popularity, and can also be used as MaaS (Malware-as-a-service) because of their ease of use, competitive pricing and immediate response from support.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matiex", "https://labs.k7computing.com/index.php/matiex-on-sale-underground/" ], "synonyms": [], "type": [] }, "uuid": "b946f5d5-6503-471a-b3cd-c6c6d6149768", "value": "Matiex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" ], "synonyms": [], "type": [] }, "uuid": "59717468-271e-4d15-859a-130681c17ddb", "value": "Matrix Banker" }, { "description": "Matrix is a ransomware that encrypts a victim's files and demands a ransom in cryptocurrency to decrypt them. It is distributed through phishing emails, hacking toolkits, and software downloaders. Matrix is a serious threat and can cause significant damage to a victim's data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://unit42.paloaltonetworks.com/matrix-ransomware/", "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf", "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware", "https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", "value": "Matrix Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", "http://www.clearskysec.com/tulip/", "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" ], "synonyms": [], "type": [] }, "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", "value": "Matryoshka RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", "value": "Matsnu" }, { "description": "Specialized PoisonIvy Sideloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf", "https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html" ], "synonyms": [], "type": [] }, "uuid": "feb5ac55-7b28-47aa-9e9e-5007d838c0d5", "value": "Maudi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maui", "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://www.cisa.gov/uscert/ncas/alerts/aa22-187a", "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf" ], "synonyms": [], "type": [] }, "uuid": "0a531358-f943-40f9-a41d-e5e7944a9619", "value": "Maui Ransomware" }, { "description": "Banking trojan written in Delphi, targeting customers of European and South American banks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maxtrilha", "https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/#.YT3_VfwzaKN" ], "synonyms": [], "type": [] }, "uuid": "65799ce1-793d-4730-8d80-d829d7619dc6", "value": "Maxtrilha" }, { "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.\r\n\r\nActors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout). \r\n\r\nThe code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.secureworks.com/research/threat-profiles/gold-village", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://twitter.com/certbund/status/1192756294307995655", "https://www.justice.gov/opa/pr/foreign-national-pleads-guilty-role-cybercrime-schemes-involving-tens-millions-dollars", "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update", "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html", "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://nattothoughts.substack.com/p/ransom-war-russian-extortion-operations", "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", "https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://oag.ca.gov/system/files/Letter%204.pdf", "https://www.docdroid.net/dUpPY5s/maze.pdf", "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://adversary.crowdstrike.com/adversary/twisted-spider/", "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", "http://www.secureworks.com/research/threat-profiles/gold-village", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://securelist.com/maze-ransomware/99137/", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U", "https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat", "https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/" ], "synonyms": [ "ChaCha" ], "type": [] }, "uuid": "266c9377-34ef-4670-afa3-28bc0ba7f44e", "value": "Maze" }, { "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html", "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d" ], "synonyms": [ "DexLocker" ], "type": [] }, "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", "value": "MBRlock" }, { "description": "Ransomware overwriting the system's MBR, making it impossible to boot into Windows.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker", "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html" ], "synonyms": [], "type": [] }, "uuid": "1f7fc94c-218a-4571-85b6-5667544bf230", "value": "MBR Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/", "https://www.symantec.com/connect/blogs/bios-threat-showing-again" ], "synonyms": [ "MyBios" ], "type": [] }, "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", "value": "Mebromi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "GoldStamp" ], "type": [] }, "uuid": "cd055701-89ad-41be-b4d9-69460876fdee", "value": "MECHANICAL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mediapi", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/" ], "synonyms": [ "Eyeglass" ], "type": [] }, "uuid": "3c111e49-957c-4bda-8c25-7be3e373b788", "value": "MediaPI" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" ], "synonyms": [], "type": [] }, "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", "value": "Medre" }, { "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://news.drweb.com/show/?i=10302&lng=en", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" ], "synonyms": [], "type": [] }, "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", "value": "Medusa (Windows)" }, { "description": "A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion", "https://twitter.com/siri_urz/status/1215194488714346496?s=20", "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-181a", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0", "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf", "https://www.cybereason.com/blog/medusalocker-ransomware", "https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/", "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/", "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html", "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/", "https://blog.talosintelligence.com/2020/04/medusalocker.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://asec.ahnlab.com/en/48940/", "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html" ], "synonyms": [ "AKO Doxware", "AKO Ransomware", "MedusaReborn" ], "type": [] }, "uuid": "77e7221f-d3db-4d13-bcde-e6d7a494f424", "value": "MedusaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meduza", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-meduza-f1bbd2efb84f", "https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/", "https://cert.gov.ua/article/6276652", "https://russianpanda.com/2023/06/28/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer/", "https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed" ], "synonyms": [], "type": [] }, "uuid": "20edd63e-d1a8-4aae-a0a6-50f5bb1cf65f", "value": "Meduza Stealer" }, { "description": "Megacortex is a ransomware used in targeted attacks against corporations.\r\nOnce the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-megacortex-ransomware-decryptor/", "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/", "https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://blog.malwarebytes.com/detections/ransom-megacortex/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", "https://threatpost.com/megacortex-ransomware-mass-distribution/146933/", "https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", "https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks" ], "synonyms": [], "type": [] }, "uuid": "3f09884e-dddc-4513-8720-a28fe21ab9a8", "value": "MegaCortex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacreep", "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/", "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" ], "synonyms": [], "type": [] }, "uuid": "394ddd91-b673-4607-b253-fe19b98008b5", "value": "MegaCreep" }, { "description": "Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin", "https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [], "type": [] }, "uuid": "76cd241a-c265-4a33-8ce7-db2d3647b489", "value": "MeguminTrojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio", "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", "https://twitter.com/hpsecurity/status/1509185858146082816", "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/", "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", "https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/", "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/" ], "synonyms": [], "type": [] }, "uuid": "bfebb298-66e3-4250-82e8-910b7dd8618c", "value": "Mekotio" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.melcoz", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" ], "synonyms": [], "type": [] }, "uuid": "e3e289bb-3ac2-4f93-becd-540720501884", "value": "Melcoz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meltingclaw", "https://blog.talosintelligence.com/uat-5647-romcom/" ], "synonyms": [], "type": [] }, "uuid": "f7b455fb-9774-41d4-8315-75192c3e3f4c", "value": "MeltingClaw" }, { "description": "According to PCrisk, MEOW is ransomware based on other ransomware called CONTI. MEOW encrypts files and appends the \".MEOW\" extension to their filenames. It also drops the \"readme.txt\" file (a ransom note). An example of how MEOW ransomware modifies filenames: it renames \"1.jpg\" to \"1.jpg.MEOW\", \"2.png\" to \"2.png.MEOW\", and so forth.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meow", "https://id-ransomware.blogspot.com/2022/09/meow-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "ee27ec81-3c41-4562-ae6b-58a7ce6f0485", "value": "Meow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mercurialgrabber", "https://twitter.com/Arkbird_SOLG/status/1432127748001128459", "https://github.com/NightfallGT/Mercurial-Grabber" ], "synonyms": [], "type": [] }, "uuid": "5fa45856-2960-47c4-ad73-df0ff142ae12", "value": "MercurialGrabber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.merdoor", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" ], "synonyms": [], "type": [] }, "uuid": "bf604927-77df-46e5-9bdb-ee9b631461a2", "value": "Merdoor" }, { "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin", "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html", "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html", "https://github.com/Ne0nd0g/merlin", "https://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f" ], "synonyms": [], "type": [] }, "uuid": "427e4b41-adf6-4d4d-a83f-6d96b5ab4a3e", "value": "Merlin" }, { "description": "Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension \"pysa\" is probably derived from the Zanzibari Coin with the same name.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://twitter.com/campuscodi/status/1347223969984897026", "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", "https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis", "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", "https://twitter.com/inversecos/status/1456486725664993287", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.ic3.gov/Media/News/2021/210316.pdf", "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/", "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/", "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf", "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html" ], "synonyms": [ "pysa" ], "type": [] }, "uuid": "68a7ca8e-2902-43f2-ad23-a77b4c48221d", "value": "Mespinoza" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin", "https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html" ], "synonyms": [ "Ransomware32" ], "type": [] }, "uuid": "750c5b2c-1489-4e11-b21d-c49b651d9227", "value": "MetadataBin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metaljack", "https://m.threatbook.cn/detail/2527", "https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/", "https://s.tencent.com/research/report/944.html", "https://www.youtube.com/watch?v=ftjDH65kw6E", "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", "https://www.secrss.com/articles/17900" ], "synonyms": [ "denesRAT" ], "type": [] }, "uuid": "64304fcc-5bc8-4000-9be2-4fc7a482897a", "value": "METALJACK" }, { "description": "According to BitDefender, Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf", "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", "https://blog.ensilo.com/metamorfo-avast-abuser", "https://twitter.com/MsftSecIntel/status/1418706916922986504", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md", "https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerou", "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", "https://cofense.com/blog/autohotkey-banking-trojan/" ], "synonyms": [ "Casbaneiro" ], "type": [] }, "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", "value": "Metamorfo" }, { "description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer", "https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/", "https://medium.com/walmartglobaltech/metastealer-string-decryption-and-dga-overview-5f38f76830cd", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-meta-8ae628dfab8c", "https://russianpanda.com/2023/12/28/MetaStealer-Part-2/", "https://russianpanda.com/2023/11/20/MetaStealer-Redline's-Doppelganger/", "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web", "https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/", "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://ke-la.com/information-stealers-a-new-landscape/" ], "synonyms": [], "type": [] }, "uuid": "9b7758fc-2fca-4b07-b669-34461fc95a67", "value": "MetaStealer" }, { "description": "A wiper used in an attack against the Iranian train system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meteor", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/", "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/", "https://twitter.com/_cpresearch_/status/1541753913732366338" ], "synonyms": [], "type": [] }, "uuid": "066250ee-9279-47ad-b289-e266ede11921", "value": "Meteor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter", "http://www.secureworks.com/research/threat-profiles/gold-franklin", "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", "https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", "https://asec.ahnlab.com/ko/26705/", "https://asec.ahnlab.com/en/53046/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://asec.ahnlab.com/en/56236/", "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", "https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence", "https://redcanary.com/blog/getsystem-offsec/", "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", "http://schierlm.users.sourceforge.net/avevasion.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", "http://www.secureworks.com/research/threat-profiles/gold-winter", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/", "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/", "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/", "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux" ], "synonyms": [], "type": [] }, "uuid": "13a5c0ae-8e2d-4a38-8b6c-7d746e159991", "value": "Meterpreter (Windows)" }, { "description": "A botnet that used Tor .onion links for C&C.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mevade", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/", "https://www.youtube.com/watch?v=FttiysUZmDw", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", "https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/" ], "synonyms": [ "SBC", "Sefnit" ], "type": [] }, "uuid": "3454bd71-29e1-498b-82d8-111aeadedee5", "value": "Mevade" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" ], "synonyms": [], "type": [] }, "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", "value": "Mewsei" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot", "https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/", "https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/", "https://twitter.com/GossiTheDog/status/1438500100238577670", "https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware", "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot", "https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s" ], "synonyms": [ "BLame", "MgmBot", "POCOSTICK" ], "type": [] }, "uuid": "d97c2c0c-ef3a-4512-846a-f4cdeee7787a", "value": "MgBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha" ], "synonyms": [], "type": [] }, "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", "value": "Miancha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", "value": "Micrass" }, { "description": "Open-source lightweight backdoor for C2 communication.\r\nGitHub: https://github.com/Cr4sh/MicroBackdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", "https://cert.gov.ua/article/37626", "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://github.com/cr4sh/microbackdoor", "https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/", "https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/", "https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/" ], "synonyms": [], "type": [] }, "uuid": "07c7b7dc-cec8-4542-b351-ce7d757812d7", "value": "MicroBackdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", "https://github.com/dlegezo/common", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", "https://securelist.com/microcin-is-here/97353", "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", "https://securelist.com/microcin-is-here/97353/", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", "value": "Microcin" }, { "description": "This malware written in Delphi is an information stealing malware family dubbed \"MICROPSIA\". It has s wide range of data theft functionality built in.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks", "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", "https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md" ], "synonyms": [], "type": [] }, "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", "value": "Micropsia" }, { "description": "This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.midas", "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/", "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants", "https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/" ], "synonyms": [], "type": [] }, "uuid": "e5043a7f-2c38-4015-978e-253a7cdbda97", "value": "Midas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi", "https://www.anomali.com/blog/targeted-ransomware-activity" ], "synonyms": [], "type": [] }, "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", "value": "Mikoponi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milan", "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/" ], "synonyms": [], "type": [] }, "uuid": "5b1fe92d-9a78-4543-8efb-7c674492d0d2", "value": "Milan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", "value": "MILKMAID" }, { "description": "In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum", "https://securelist.com/wildpressure-targets-macos/103072/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/" ], "synonyms": [], "type": [] }, "uuid": "d1942959-9c6f-462b-87bf-da6ed914669d", "value": "Milum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mim221", "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/" ], "synonyms": [], "type": [] }, "uuid": "83ebded5-6ce5-471a-9bfe-db7cca6b3756", "value": "mim221" }, { "description": "According to PCrisk, Mimic is a ransomware-type program. Malware within this classification is designed to encrypt data and demand ransoms for decryption. Evidence suggests that Mimic is based on the leaked CONTI ransomware builder. Mimic campaigns have been observed targeting English and Russian speaking users.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic", "https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html", "https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "40e57c70-c83b-4820-87fd-f684f4960268", "value": "Mimic Ransomware" }, { "description": "Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.\r\n\r\nAttackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", "https://www.welivesecurity.com/2022/09/06/worok-big-picture/", "https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf", "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/", "https://attack.mitre.org/groups/G0011", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://twitter.com/inversecos/status/1456486725664993287", "https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/", "https://www.intrinsec.com/apt27-analysis/", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://www.secureworks.com/research/samsam-ransomware-campaigns", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/", "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf", "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", "https://asec.ahnlab.com/en/47455/", "https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://www.infinitumit.com.tr/apt-35/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", "https://attack.mitre.org/groups/G0096", "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf", "https://noticeofpleadings.com/nickel/#", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf", "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/", "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/", "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", "http://www.secureworks.com/research/threat-profiles/gold-franklin", "https://www.accenture.com/us-en/blogs/security/ransomware-hades", "https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", "https://www.ic3.gov/media/news/2020/200917-1.pdf", "https://asec.ahnlab.com/en/56236/", "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf", "https://www.hvs-consulting.de/lazarus-report/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://asec.ahnlab.com/ko/56256/", "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://attack.mitre.org/groups/G0034", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://github.com/gentilkiwi/mimikatz", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia", "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a", "https://www.slideshare.net/yurikamuraki5/active-directory-240348605", "https://securelist.com/the-sessionmanager-iis-backdoor/106868/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://asec.ahnlab.com/ko/39682/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks", "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/", "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", "https://www.ic3.gov/Media/News/2021/210823.pdf", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "value": "MimiKatz" }, { "description": "Ransomware, potential rebranding of win.sfile.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware", "https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/" ], "synonyms": [], "type": [] }, "uuid": "cfd0ab21-12e6-4c95-acc7-a8f488ed1706", "value": "Mindware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/", "https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat", "https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures", "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism", "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html" ], "synonyms": [ "GazGolder" ], "type": [] }, "uuid": "663d4310-51ea-4ac1-9426-b9e9c5210471", "value": "MINEBRIDGE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", "value": "MiniASP" }, { "description": "According to Mandiant, this is a custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibike", "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" ], "synonyms": [], "type": [] }, "uuid": "6ac94abf-1fc0-459d-8ffd-81cdd12b7a31", "value": "MINIBIKE" }, { "description": "miniBlindingCan is an HTTP(S) orchestrator.\r\n\r\nIt is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C.\r\n\r\nThe miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/", "https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/", "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" ], "synonyms": [ "AIRDRY.V2", "EventHorizon" ], "type": [] }, "uuid": "d266693e-0564-47e7-93ac-128d491efcab", "value": "miniBlindingCan" }, { "description": "According to Mandiant, this is a custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibus", "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" ], "synonyms": [], "type": [] }, "uuid": "eac92334-6af5-4d19-80b6-80abe5580afb", "value": "MINIBUS" }, { "description": "The MiniDuke toolset consists of multiple downloader and backdoor components", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniduke", "https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf", "https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/", "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [], "type": [] }, "uuid": "3d164ab8-58a5-433c-bbc9-b81a869ac8c8", "value": "MiniDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ministealer", "https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/" ], "synonyms": [], "type": [] }, "uuid": "01e605b0-aadc-40a3-986f-f0795fd20401", "value": "MiniStealer" }, { "description": "miniTYPEFRAME is a variant of TYPEFRAME, a RAT for Windows.\r\n\r\nIts functionality is reduced to serve mostly as a proxy module. Its commands are indexed by 16-bit integers, usually in the range 0x8027–0x8044.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.minitypeframe", "https://www.cisa.gov/news-events/analysis-reports/ar18-165a" ], "synonyms": [], "type": [] }, "uuid": "fbf135fa-1194-4532-846a-eb1716e0b426", "value": "miniTypeFrame" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mintstealer", "https://twitter.com/ViriBack/status/1610393842787704835" ], "synonyms": [], "type": [] }, "uuid": "15c036d3-e1d8-4e4a-850c-20ce65bdd24c", "value": "MintStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [], "type": [] }, "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", "value": "Mirage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [], "type": [] }, "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", "value": "MirageFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", "https://assets.virustotal.com/reports/2021trends.pdf", "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", "https://twitter.com/PhysicalDrive0/status/830070569202749440", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", "https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack", "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot/", "https://unit42.paloaltonetworks.com/moobot-d-link-devices/" ], "synonyms": [], "type": [] }, "uuid": "2edd3051-b1b5-47f2-9155-8c97f791dfb7", "value": "Mirai (Windows)" }, { "description": "According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users’ browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast", "https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/", "https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies", "https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924", "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/" ], "synonyms": [], "type": [] }, "uuid": "be347289-5ca5-4b49-b5ef-8443883736c1", "value": "MirrorBlast" }, { "description": "According to Trend Micro, this is a loader for win.transbox, used by threat actor Earth Yako.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorkey", "https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html" ], "synonyms": [], "type": [] }, "uuid": "7340174e-3ff7-4293-acd0-1a82433a7777", "value": "MirrorKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", "value": "Misdat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" ], "synonyms": [ "Dromedan", "MixFox", "ModPack" ], "type": [] }, "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", "value": "Misfox" }, { "description": "Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be \"misha\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha", "https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/", "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html" ], "synonyms": [], "type": [] }, "uuid": "3f32d0bf-61b9-495b-88ca-77f4a254336d", "value": "Misha" }, { "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu", "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/", "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/", "https://blog.scilabs.mx/cyber-threat-profile-malteiro/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces", "https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YyXEkaRBzIU", "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/", "https://perception-point.io/blog/manipulated-caiman-the-sophisticated-snare-of-mexicos-banking-predators-technical-edition/" ], "synonyms": [ "URSA" ], "type": [] }, "uuid": "ffc9ffcc-24f4-4e60-ab02-a75b007359fa", "value": "Mispadu" }, { "description": "Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistcloak", "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia" ], "synonyms": [ "HIUPAN" ], "type": [] }, "uuid": "1e6bc052-73de-453d-ba6c-658c82fe21d4", "value": "MISTCLOAK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistyveal", "https://www.epicturla.com/previous-works/hitb2020-voltron-sta", "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/" ], "synonyms": [], "type": [] }, "uuid": "d594d6c1-6d10-4fe8-acda-397df91c73ba", "value": "MISTYVEAL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" ], "synonyms": [], "type": [] }, "uuid": "4c786624-4a55-46e6-849d-b65552034235", "value": "Miuref" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mmon", "http://reversing.fun/posts/2022/01/02/mmon.html" ], "synonyms": [ "Kaptoxa" ], "type": [] }, "uuid": "a6d12f4f-57f6-4873-9c68-e079fef5e5fb", "value": "MMON" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core" ], "synonyms": [], "type": [] }, "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", "value": "MM Core" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" ], "synonyms": [], "type": [] }, "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", "value": "MobiRAT" }, { "description": "LNK files used to lure and orchestrate execution of various scripts, interacting with the Mocky API service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocky_lnk", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf", "https://cert.gov.ua/article/4492467", "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html" ], "synonyms": [], "type": [] }, "uuid": "0eb52072-a2db-4689-bc2d-ac0ae65bdd8c", "value": "Mocky LNK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" ], "synonyms": [], "type": [] }, "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", "value": "Mocton" }, { "description": "According to PCrisk, ModernLoader, also known as Avatar Bot and AvatarLoader, is a malicious program that has minimalistic loader and RAT (Remote Access Trojan) functionalities.\r\n\r\nLoader-type malware is designed to infect devices with additional malicious programs, while RATs enable remote access/control over infected machines. ModernLoader is capable of executing basic commands and injecting malicious modules into systems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modern_loader", "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html" ], "synonyms": [ "AvatarBot" ], "type": [] }, "uuid": "a3932600-e1fd-4fbe-b651-8da31109ee15", "value": "ModernLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modirat", "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands/" ], "synonyms": [], "type": [] }, "uuid": "1f36d78b-6f3d-469e-8a60-5ecaebe9d80a", "value": "MoDi RAT" }, { "description": "ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them – named GetMicInfo – contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe", "https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data", "https://www.kroll.com/en/insights/publications/cyber/modpipe-pos-malware-new-hooking-targets-extract-card-data", "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/" ], "synonyms": [], "type": [] }, "uuid": "a4b3d07a-b3ce-4128-9c5c-caa218518a00", "value": "ModPipe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", "https://twitter.com/physicaldrive0/status/670258429202530306" ], "synonyms": [ "straxbot" ], "type": [] }, "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", "value": "ModPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/" ], "synonyms": [], "type": [] }, "uuid": "818a9036-a74f-4017-af07-cba9a471b316", "value": "Mofksys" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moisha", "https://id-ransomware.blogspot.com/2022/08/moisha-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "16c5d8f9-c2f1-4599-bc93-bc02497deff8", "value": "Moisha Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/", "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network", "https://breakingmalware.com/malware/moker-part-2-capabilities/" ], "synonyms": [], "type": [] }, "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", "value": "Moker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "3a711d44-2a70-418d-92c1-692c3d3b13c2", "value": "Mokes (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/", "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware" ], "synonyms": [], "type": [] }, "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", "value": "Mole" }, { "description": "MoleNet is a .NET downloader malware used by the Molerats group in targeted attacks in the Middle East. Before downloading additional payloads, it first collects information about the infected machine using WMI queries and sends the data to its operators. It was first discovered in 2020, however, Cybereason researchers showed that it has been in use since at least 2019, with infrastructure that operated since 2017. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molenet", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" ], "synonyms": [], "type": [] }, "uuid": "76842aa1-f06d-49cf-90df-158346525f91", "value": "MoleNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", "https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east", "https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/", "http://www.clearskysec.com/iec/" ], "synonyms": [], "type": [] }, "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", "value": "Molerat Loader" }, { "description": "According to ESET, first seen in-the-wild on 26th May, 2017, the malicious mining software is a fork of a legitimate open source Monero CPU miner called xmrig.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", "https://asec.ahnlab.com/en/37526/", "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux" ], "synonyms": [ "CoinMiner" ], "type": [] }, "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, { "description": "A new ransomware gang hitting companies in worldwide firstly spotted by Zscaler.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moneymessage", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/", "https://resources.securityscorecard.com/research/analysis-money-message-ransomware" ], "synonyms": [], "type": [] }, "uuid": "07dff193-2fad-4de6-83ad-046c6b95be46", "value": "Money Message" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mongall", "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" ], "synonyms": [], "type": [] }, "uuid": "e0627961-fc28-4b7d-bb44-f937defa052a", "value": "mongall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree", "https://securelist.com/montysthree-industrial-espionage/98972/" ], "synonyms": [ "MT3" ], "type": [] }, "uuid": "8a6013a1-5e5c-41f5-bd8e-c86ea7f108d9", "value": "MontysThree" }, { "description": "MoonBounce is a malware embedded into a modified UEFI firmware. Placed into SPI flash, it can provide persistence across full reinstall and even disk replacements. MoonBounce deploys user-mode malware through in-memory staging with a small footprint.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf", "https://habr.com/ru/amp/post/668154/", "https://www.binarly.io/posts/A_deeper_UEFI_dive_into_MoonBounce/index.html" ], "synonyms": [], "type": [] }, "uuid": "04ce84dc-f471-48b6-8456-348cd85af39f", "value": "MoonBounce" }, { "description": "According to Cisco Talos, this RAT is derived from the open source XenoRAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonpeak", "https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/" ], "synonyms": [], "type": [] }, "uuid": "47d27d87-0d5c-4761-a2a2-43982abb4d45", "value": "MoonPeak" }, { "description": "The malware, potentially named \"MOON_TAG\" by its developer as indicated by the strings within, is derived from code shared in a Google Group (https://groups.google.com/g/ph4nt0m/c/2J3_1XPeKD8/m/AYPoWudRcTAJ?pli=1). Each variant discovered possesses capabilities to communicate via the Microsoft Graph API. At this moment, it appears to be in development.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moontag", "https://www.security.com/threat-intelligence/cloud-espionage-attacks" ], "synonyms": [], "type": [] }, "uuid": "391c5173-8ca3-4f1b-8b34-a1eb0b21ea15", "value": "MOONTAG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwalk", "https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2" ], "synonyms": [ "CurveLast", "SneakCross" ], "type": [] }, "uuid": "6a0ce908-d535-4973-bc49-33b9869de99b", "value": "MoonWalk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ], "synonyms": [], "type": [] }, "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", "value": "MoonWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/", "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#", "https://twitter.com/Timele9527/status/1272776776335233024", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" ], "synonyms": [], "type": [] }, "uuid": "3de9ccf5-4756-4c5b-9086-6664f5a9b761", "value": "MoriAgent" }, { "description": "This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya", "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/" ], "synonyms": [], "type": [] }, "uuid": "4dd511a6-be5f-40ae-9a9f-aaf354f7ea2e", "value": "Moriya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" ], "synonyms": [], "type": [] }, "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", "value": "Morphine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mortalkombat", "https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/" ], "synonyms": [], "type": [] }, "uuid": "ff3b11e4-3450-4db5-a2ed-5c45cd875330", "value": "MortalKombat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mortis", "https://m4lcode.github.io/malware%20analysis/Mortis-Locker-YARA-Rule/" ], "synonyms": [], "type": [] }, "uuid": "354212b6-86df-4dcc-87b4-97f6e78b6a41", "value": "Mortis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", "https://www.f-secure.com/weblog/archives/00002227.html", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A", "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html" ], "synonyms": [], "type": [] }, "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", "value": "Morto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosaic_regressor", "https://securelist.com/mosaicregressor/98849/" ], "synonyms": [], "type": [] }, "uuid": "45e780f0-aa06-4427-8393-ef1d358e354f", "value": "MosaicRegressor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moserpass", "https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/" ], "synonyms": [], "type": [] }, "uuid": "0dc319a2-96b5-420d-85ec-07f34f457402", "value": "Moserpass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.recordedfuture.com/turla-apt-infrastructure/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" ], "synonyms": [], "type": [] }, "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", "value": "Mosquito" }, { "description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://securityscorecard.pathfactory.com/research/quantum-ransomware", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/", "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/", "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://community.riskiq.com/article/47766fbd", "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/", "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/", "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/", "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", "https://blogs.blackberry.com/en/2021/11/zebra2104", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/" ], "synonyms": [ "DagonLocker", "MountLocker", "QuantumLocker" ], "type": [] }, "uuid": "b5814e05-532a-4262-a8da-82fd0d7605ee", "value": "Mount Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" ], "synonyms": [], "type": [] }, "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", "value": "Moure" }, { "description": "According to PCrisk, Mozart is malicious software that allows attackers (cyber criminals) to execute various commands on an infected computer through the DNS protocol. This communication method helps cyber criminals to avoid detection via security software. Mozart is categorized as a malware loader and executes commands that cause download and installation of malicious software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-11-the-mozart-ram-scraper.md" ], "synonyms": [], "type": [] }, "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", "value": "mozart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [ "MPK" ], "type": [] }, "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", "value": "MPKBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mqsttang", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/" ], "synonyms": [ "QMAGENT" ], "type": [] }, "uuid": "aed28126-b8ab-4ab5-a2c6-89898fe689c9", "value": "MQsTTang" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrac", "https://id-ransomware.blogspot.com/2021/12/mrac-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "3eee33df-76c5-4962-ac35-b0d98c37a81a", "value": "MRAC" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec", "https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "1e301d67-cd12-4f46-bcb3-c60f9b78c4d0", "value": "MrDec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mr_peter", "https://github.com/mrfr05t/Mr.Peter" ], "synonyms": [], "type": [] }, "uuid": "677123aa-3a1a-4443-a968-4f6f4bc6b3c2", "value": "MrPeter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.msupedge", "https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns" ], "synonyms": [], "type": [] }, "uuid": "284136d0-5ece-40f1-bab7-c066604cd80c", "value": "Msupedge" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.muddyc2go", "https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms", "https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework" ], "synonyms": [], "type": [] }, "uuid": "c22da013-96f4-4dfa-ab24-544da231500e", "value": "MuddyC2Go" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mulcom", "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies" ], "synonyms": [], "type": [] }, "uuid": "a756ad8a-ac29-49c0-aee8-f3030e7ddeca", "value": "MulCom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] }, "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", "value": "Multigrain POS" }, { "description": " a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] }, "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", "value": "murkytop" }, { "description": "According to bin.re, Murofet, also called LICAT, is a member of the ZeuS family. It uses a Domain Generation Algorithm (DGA) to determine the current C2 domain names. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://bin.re/blog/three-variants-of-murofets-dga/", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.wired.com/2017/03/russian-hacker-spy-botnet/" ], "synonyms": [ "Licat" ], "type": [] }, "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", "value": "Murofet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", "http://vms.drweb.ru/virus/?_is=1&i=8477920" ], "synonyms": [], "type": [] }, "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", "value": "Mutabaha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html" ], "synonyms": [], "type": [] }, "uuid": "77d74e8c-664a-42b7-a55d-735ea138a898", "value": "MyDogs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://www.malware-traffic-analysis.net/2018/12/19/index.html", "https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503", "http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069" ], "synonyms": [ "Mimail", "Novarg" ], "type": [] }, "uuid": "ac3483f9-522e-4fbc-b072-e5f76972e7b3", "value": "MyDoom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf", "https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/", "https://blog.talosintelligence.com/2020/07/valak-emerges.html" ], "synonyms": [], "type": [] }, "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", "value": "MyKings Spreader" }, { "description": "According to PCrisk, MyloBot is a high-risk trojan-type virus that allows cyber criminals to control the infected machine. MyloBot can be considered as a botnet, since all infected computers are connected to a single network. Depending on cyber criminals' goals, infected machines might be misused or have additional infections applied.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", "http://www.freebuf.com/column/153424.html", "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/", "https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html", "https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet", "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", "https://github.com/360netlab/DGA/issues/36", "https://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/", "https://blog.centurylink.com/mylobot-continues-global-infections/" ], "synonyms": [ "FakeDGA", "WillExec" ], "type": [] }, "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", "value": "MyloBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystery_snail", "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk175885", "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/" ], "synonyms": [], "type": [] }, "uuid": "c9b5b0b2-45af-43f2-8eb4-e13493c1342e", "value": "MysterySnail" }, { "description": "According to ZScaler, a new information stealer that was first advertised in April 2023, capable of stealing credentials from nearly 40 web browsers and more than 70 browser extensions, also targeting cryptocurrency wallets, Steam, and Telegram. The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants.\r\nMystic implements a custom binary protocol that is encrypted with RC4.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystic_stealer", "https://www.zscaler.com/blogs/security-research/mystic-stealer" ], "synonyms": [], "type": [] }, "uuid": "226a9241-e4de-49d0-bb30-4550221f3f9f", "value": "Mystic Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mzrevenge", "https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html" ], "synonyms": [ "MaMo434376" ], "type": [] }, "uuid": "5cb1091c-bfe7-440c-a8c7-b652e205e65b", "value": "MZRevenge" }, { "description": "Botnet with focus on banks in Latin America and South America.\r\nRelies on DLL Sideloading attacks to execute malicious DLL files.\r\nUses legitimate VMWare executable in attacks. \r\nAs of March 2019, the malware is under active development with updated versions coming out on persistent basis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", "http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html", "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/", "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector", "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware" ], "synonyms": [], "type": [] }, "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", "value": "N40" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" ], "synonyms": [], "type": [] }, "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", "value": "Nabucur" }, { "description": "According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b", "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html", "https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" ], "synonyms": [ "Cyruslish", "TWOPENCE", "VIVACIOUSGIFT" ], "type": [] }, "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", "value": "NACHOCHEESE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" ], "synonyms": [], "type": [] }, "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", "value": "Nagini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "Sacto" ], "type": [] }, "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", "value": "Naikon" }, { "description": "Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52", "https://youtu.be/NVnJImFm6P8", "https://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore", "https://community.riskiq.com/article/ade260c6", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://www.ic3.gov/media/news/2020/200917-1.pdf", "https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918", "https://assets.virustotal.com/reports/2021trends.pdf", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://community.riskiq.com/article/24759ad2", "https://www.secureworks.com/research/darktortilla-malware-analysis", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", "https://blog.morphisec.com/syk-crypter-discord", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0", "https://intel471.com/blog/privateloader-malware", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", "https://goggleheadedhacker.com/blog/post/11", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", "https://malwareindepth.com/defeating-nanocore-and-cypherit/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/" ], "synonyms": [ "Nancrat", "NanoCore" ], "type": [] }, "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", "value": "Nanocore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" ], "synonyms": [], "type": [] }, "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", "value": "NanoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naplistener", "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat", "https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph" ], "synonyms": [], "type": [] }, "uuid": "c5a291c8-c317-48b4-aad1-d5e9d68c2fc5", "value": "NAPLISTENER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage", "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html" ], "synonyms": [], "type": [] }, "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", "value": "Narilam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.ncsc.gov.uk/alerts/turla-group-malware", "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims" ], "synonyms": [], "type": [] }, "uuid": "d8295eba-60ef-4900-8091-d694180de565", "value": "Nautilus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", "https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/", "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://blog.talosintelligence.com/2018/05/navrat.html?m=1", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "JinhoSpy" ], "type": [] }, "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", "value": "NavRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan", "https://twitter.com/ESETresearch/status/1441139057682104325?s=20", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", "https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan", "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", "https://vblocalhost.com/uploads/VB2020-20.pdf" ], "synonyms": [], "type": [] }, "uuid": "85056c54-f8f1-4a98-93cb-322cc1deb52c", "value": "nccTrojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nebulae", "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf", "https://twitter.com/SyscallE/status/1390339497804636166", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/", "https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware" ], "synonyms": [], "type": [] }, "uuid": "76c75ed0-95ba-4393-8020-4400bdc49de6", "value": "Nebulae" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neconyd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Neconyd.A" ], "synonyms": [], "type": [] }, "uuid": "fbc29921-6ec4-4cae-b45c-b7d210ffd435", "value": "Neconyd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/", "https://bin.re/blog/the-dgas-of-necurs/", "https://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.secureworks.com/research/threat-profiles/gold-riverview", "http://www.secureworks.com/research/threat-profiles/gold-riverview" ], "synonyms": [ "nucurs" ], "type": [] }, "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", "value": "Necurs" }, { "description": "NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.\r\n\r\nThe internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like \".?AVCWininet_Protocol@@\" or \".?AVCMFC_DLLApp@@\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.telsy.com/lazarus-gate/", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/", "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/" ], "synonyms": [], "type": [] }, "uuid": "f061ad00-c215-478e-ae31-77fcdc2f4963", "value": "NedDnLoader" }, { "description": "According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf", "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://securelist.com/evolution-of-jsworm-ransomware/102428/", "https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html", "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "http://www.secureworks.com/research/threat-profiles/gold-mansard", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ "Nephilim" ], "type": [] }, "uuid": "895f088e-a862-462c-a754-6593c6a471da", "value": "Nefilim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemesis", "https://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5", "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor" ], "synonyms": [ "Project Nemesis" ], "type": [] }, "uuid": "2f115fca-2f72-4c20-a93e-9618e51f6e2b", "value": "Nemesis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", "https://www.secureworks.com/research/threat-profiles/tungsten-bridge", "http://blog.nsfocus.net/darkhotel-3-0908/" ], "synonyms": [ "Nemain" ], "type": [] }, "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", "value": "Nemim" }, { "description": "Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", "https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/", "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", "https://securelist.com/evolution-of-jsworm-ransomware/102428/", "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "http://www.secureworks.com/research/threat-profiles/gold-mansard", "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b", "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [], "type": [] }, "uuid": "465696be-d576-4750-9469-89e19984f3df", "value": "Nemty" }, { "description": "Proofpoint observed distribution of this RAT since late April 2022, it is written on Go and incorporates code from various open-source Git repositories.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nerbian_rat", "https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques" ], "synonyms": [], "type": [] }, "uuid": "3dba4da9-7fe0-4b12-a0ed-c55065b87481", "value": "Nerbian RAT" }, { "description": "Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word \"nesta\" meaning \"something.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta", "https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html", "https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest", "https://www.virusradar.com/en/Win32_Neshta.A/description", "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [], "type": [] }, "uuid": "13d2482d-21fc-4044-891e-a7fb2b1660e9", "value": "neshta" }, { "description": "NESTEGG is a memory-only backdoor that can proxy commands to other\r\ninfected systems using a custom routing scheme. It accepts commands to\r\nupload and download files, list and delete files, list and terminate processes, and\r\nstart processes. NESTEGG also creates Windows Firewall rules that allows the\r\nbackdoor to bind to a specified port number to allow for inbound traffic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf", "https://youtu.be/_kzFNQySEMw?t=789", "https://youtu.be/8hJyLkLHH8Q?t=1208", "https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html", "https://content.fireeye.com/apt/rpt-apt38", "https://securelist.com/lazarus-under-the-hood/77908/" ], "synonyms": [], "type": [] }, "uuid": "fce1f9a7-bac7-4b11-8ea7-3c72931cd14a", "value": "NESTEGG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", "value": "NetC" }, { "description": "A RAT written in .NET, delivered with a driver to protect it from deletion. Observed being dropped by PrivateLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netdooka", "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html" ], "synonyms": [], "type": [] }, "uuid": "dc6f887b-0c35-471f-9b18-2bf0a4ff357a", "value": "NetDooka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" ], "synonyms": [ "Neteagle_Scout", "ScoutEagle" ], "type": [] }, "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "value": "NETEAGLE" }, { "description": "NetfilterRootkit is a WFP application layer enforcement callout driver which is signed by Microsoft via the Windows Hardware Compatibility program. It was first discovered by Karsten Hahn. His team submitted the malware to Microsoft, which allowed Microsoft to start an investigation.\r\n\r\nAfter Karsten Hahn published tweets and an article about the rootkit, Microsoft quickly responded with their own article. Their investigation revealed Chinese gamers as targets of the malware. The rootkit redirects traffic to the threat actor's IP. The threat actor can use the driver to spoof their geo-location to cheat, but it also allows account compromise of targeted players.\r\n\r\nWhile this particular rootkit is not significant anymore, similar rootkits have been created since that are also signed by Microsoft via the Windows Hardware Compatibility program. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netfilter", "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", "https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit", "https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/", "https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf", "https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/", "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users", "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/" ], "synonyms": [], "type": [] }, "uuid": "731d992c-f2e0-4e56-a148-b8df5caee8e3", "value": "NetfilterRootkit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netflash", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" ], "synonyms": [], "type": [] }, "uuid": "88b2b4ac-9e46-4bc6-b4f6-bf5ddd70ad31", "value": "NetFlash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey", "https://twitter.com/kevinperlow/status/1156406115472760835" ], "synonyms": [], "type": [] }, "uuid": "b8ec2602-c5e5-4b49-a50e-bb3d9676abc3", "value": "NetKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" ], "synonyms": [], "type": [] }, "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", "value": "Netrepser" }, { "description": "Freely available network reconnaissance tool.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netspy", "https://github.com/shmilylty/netspy" ], "synonyms": [], "type": [] }, "uuid": "a7cc22b7-0d05-480f-b7f8-a6e6c658dd8f", "value": "NetSpy" }, { "description": "Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", "https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", "https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm", "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising", "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/", "https://www.youtube.com/watch?v=CIg4TXFJRK0", "https://embeeresearch.io/advanced-cyberchef-operations-netsupport/", "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc", "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html", "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", "http://www.netsupportmanager.com/index.asp", "https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/", "https://www.trellix.com/about/newsroom/stories/research/new-techniques-of-fake-browser-updates/", "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs", "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "https://medium.com/walmartglobaltech/smartapesg-4605157a5b80", "https://asec.ahnlab.com/en/45312/", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://embee-research.ghost.io/advanced-cyberchef-operations-netsupport/" ], "synonyms": [ "NetSupport" ], "type": [] }, "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", "value": "NetSupportManager RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", "https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/" ], "synonyms": [ "TravNet" ], "type": [] }, "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", "value": "NetTraveler" }, { "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://lmntrix.com/lab/analysis-of-netwire-rat/", "https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA", "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", "https://community.riskiq.com/article/24759ad2", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.circl.lu/pub/tr-23/", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://drive.google.com/file/d/13prt2ve_sHNRRiGthB07qtfuinftJX35/view", "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", "https://www.youtube.com/watch?v=TeQdZxP0RYY", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html", "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/", "https://news.drweb.ru/show/?i=13281&c=23", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/", "https://www.theregister.com/2023/03/10/fbi_netwire_seizure/", "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.", "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/" ], "synonyms": [ "NetWeird", "NetWire", "Recam" ], "type": [] }, "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", "value": "NetWire RC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.ncsc.gov.uk/alerts/turla-group-malware", "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims" ], "synonyms": [], "type": [] }, "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", "value": "Neuron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", "https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html", "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22", "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", "http://blog.ptsecurity.com/2019/08/finding-neutrino.html", "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/" ], "synonyms": [ "Kasidet" ], "type": [] }, "uuid": "3760920e-4d1a-40d8-9e60-508079499076", "value": "Neutrino" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", "https://securelist.com/neutrino-modification-for-pos-terminals/78839/" ], "synonyms": [], "type": [] }, "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", "value": "Neutrino POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nevada", "https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant" ], "synonyms": [], "type": [] }, "uuid": "abade90c-6783-4e53-a436-944733871df2", "value": "Nevada" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbot_loader", "https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793" ], "synonyms": [], "type": [] }, "uuid": "10557b51-6a57-499b-a988-e4aeccf51d4e", "value": "NewBot Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce", "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf" ], "synonyms": [], "type": [] }, "uuid": "1695fd64-5e6a-456f-97a4-d09937920543", "value": "NewBounce" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view", "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6", "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html", "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/" ], "synonyms": [], "type": [] }, "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", "value": "NewCore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass", "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/" ], "synonyms": [], "type": [] }, "uuid": "c1dbbd04-050c-47ce-8164-791f17a4a6b4", "value": "NewPass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] }, "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", "value": "NewPosThings" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", "value": "NewsReels" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/" ], "synonyms": [ "CT" ], "type": [] }, "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", "value": "NewCT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", "https://twitter.com/benkow_/status/789006720668405760" ], "synonyms": [], "type": [] }, "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", "value": "Nexster Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/", "https://twitter.com/PhysicalDrive0/status/842853292124360706" ], "synonyms": [], "type": [] }, "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", "value": "NexusLogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html", "https://research.checkpoint.com/ramnits-network-proxy-servers/" ], "synonyms": [ "Grobios" ], "type": [] }, "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", "value": "Ngioweb (Windows)" }, { "description": "According to Unit42, NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nglite", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://us-cert.cisa.gov/ncas/alerts/aa21-336a" ], "synonyms": [], "type": [] }, "uuid": "3bd8a411-5a99-4cf9-bde9-b7c55e79acf8", "value": "NGLite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nibiru", "https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "5a998606-a9a9-42ad-affb-9be37e11ec25", "value": "Nibiru" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightclub", "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/", "https://i.blackhat.com/BH-US-23/Presentations/US-23-MatthieuFaou-MoustachedBouncer.pdf" ], "synonyms": [], "type": [] }, "uuid": "7b9747fa-291a-497b-ae0a-b0760b2b62e5", "value": "NightClub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightdoor", "https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/", "https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset" ], "synonyms": [ "NetMM", "Suzafk" ], "type": [] }, "uuid": "e67d39e6-a5c6-4f30-840d-e4efb2f63359", "value": "Nightdoor" }, { "description": "C2 framework.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nighthawk", "https://web.archive.org/web/20221124020920/https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice", "https://web.archive.org/web/20220505170100/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html", "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://github.com/struppigel/hedgehog-tools/blob/main/nighthawk_str_decoder.py", "https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/CAPE/Nighthawk.py" ], "synonyms": [], "type": [] }, "uuid": "c8b9aa40-9c55-4283-851c-635673f87182", "value": "Nighthawk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", "https://twitter.com/cglyer/status/1480734487000453121", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", "https://www.youtube.com/watch?v=Yzt_zOO8pDM", "https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://twitter.com/cglyer/status/1480742363991580674" ], "synonyms": [ "Night Sky" ], "type": [] }, "uuid": "5c8dc23a-86a8-4fee-9fa3-371c9d7b4f1c", "value": "NightSky" }, { "description": "NikiHTTP is a versatile backdoor and has multiple capabilities such as download of files, executing them, performing commands, take screenshots and so on.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nikihttp", "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/" ], "synonyms": [], "type": [] }, "uuid": "e3fd52bb-7331-401d-9cc4-0de6ec82f647", "value": "NikiHTTP" }, { "description": "NimbleMamba is a new implant used by TA402/Molerats group as replacement of LastConn. It uses guardrails to ensure that victims are within the TA's target region. It is written in C# and delivered as an obfuscated .NET executable. One seen obfuscator is SmartAssembly.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba", "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage", "https://thehackernews.com/2022/02/palestinian-hackers-using-new.html" ], "synonyms": [], "type": [] }, "uuid": "b52a6512-7b0c-431a-8680-93f12921ba46", "value": "NimbleMamba " }, { "description": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2", "https://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f", "https://github.com/itaymigdal/Nimbo-C2", "https://paper.seebug.org/3117/" ], "synonyms": [], "type": [] }, "uuid": "bda7efa0-e08d-453e-95d4-9307c5104a69", "value": "Nimbo-C2 (Windows)" }, { "description": "Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" ], "synonyms": [], "type": [] }, "uuid": "5f998c1d-0377-404d-8ece-dd3486758a44", "value": "NimGrabber" }, { "description": "Part of Mythic C2, written in Nim. \r\nConsidered deprecated, as it is only compatible with Mythic 2.1.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimplant", "https://github.com/MythicAgents/nimplant" ], "synonyms": [], "type": [] }, "uuid": "b8ecda1e-206e-4ab5-b9d7-e50276ba22ea", "value": "Nimplant" }, { "description": "Backdoor written in Nim.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimrev", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" ], "synonyms": [], "type": [] }, "uuid": "69981781-962a-409a-93c6-cb5377257de8", "value": "Nimrev" }, { "description": "According to its author, NimBlackout is an adaptation of the @Blackout project originally developed in C++ by @ZeroMemoryEx, which consists of removing AV/EDRs using the gmer (BYOVD) driver. The main reason for this project was to understand how BYOVD attacks work, and then to provide a valid PoC developed in Nim.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nim_blackout", "https://github.com/Helixo32/NimBlackout" ], "synonyms": [], "type": [] }, "uuid": "904152c4-7483-41e7-acbb-884a7b32bce4", "value": "NimBlackout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ninerat", "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/" ], "synonyms": [], "type": [] }, "uuid": "2f9982ac-0029-4f4c-b316-4d127dc5f043", "value": "NineRAT" }, { "description": "NirCmd is a benign tool by NirSoft that provides various functionalities. Among these is e.g. a capability to start regedit as SYSTEM, which is sometimes abused for privilege escalation, or other functionality abusable for other malicious purposes. It is also frequently flagged by AV engines.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nircmd", "https://www.nirsoft.net/utils/nircmd.html" ], "synonyms": [], "type": [] }, "uuid": "51047f06-d824-4b84-a69c-97808b18f6bf", "value": "NirCmd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" ], "synonyms": [], "type": [] }, "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", "value": "nitlove" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", "https://krebsonsecurity.com/tag/nitol/", "https://asec.ahnlab.com/en/44504/", "https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/", "https://en.wikipedia.org/wiki/Nitol_botnet" ], "synonyms": [], "type": [] }, "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", "value": "Nitol" }, { "description": "Ransomware family which requires payment in Discord gift cards (\"Discord Nitro\").", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitro", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://github.com/nightfallgt/nitro-ransomware", "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/", "https://twitter.com/malwrhunterteam/status/1430616882231578624" ], "synonyms": [ "Hydra" ], "type": [] }, "uuid": "a81635fc-7bb7-4cd1-b26c-ea8ce6cb2763", "value": "Nitro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitrogen", "https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/", "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", "https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware" ], "synonyms": [], "type": [] }, "uuid": "5b241bc1-cc05-4ab9-8771-1a6b97136576", "value": "Nitrogen Loader" }, { "description": "A Turkish cryptominer campaign.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitrokod", "https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications" ], "synonyms": [], "type": [] }, "uuid": "d52552e2-17dc-425a-bfc8-ee6a037c704c", "value": "Nitrokod" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nixscare", "https://twitter.com/3xp0rtblog/status/1302584919592501248" ], "synonyms": [], "type": [] }, "uuid": "a49d1134-f4d9-4778-bbd4-c70655be9cf6", "value": "NixScare Stealer" }, { "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.4hou.com/posts/VoPM", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", "https://blog.morphisec.com/syk-crypter-discord", "https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/", "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html", "https://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://breachnova.com/blog.php?id=27", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", "https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf", "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf", "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://labs.k7computing.com/?p=21904", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43", "https://blogs.360.cn/post/APT-C-44.html", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://twitter.com/ESETresearch/status/1449132020613922828", "https://intel471.com/blog/privateloader-malware", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1", "http://blogs.360.cn/post/analysis-of-apt-c-37.html", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://attack.mitre.org/groups/G0096", "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control", "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "https://forensicitguy.github.io/njrat-installed-from-msi/", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/", "https://asec.ahnlab.com/1369", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", "https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/", "https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://blog.talosintelligence.com/2021/07/sidecopy.html", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html", "https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/" ], "synonyms": [ "Bladabindi", "Lime-Worm" ], "type": [] }, "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", "value": "NjRAT" }, { "description": "It's .NET Rat with harcoded key ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nmass", "https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2" ], "synonyms": [], "type": [] }, "uuid": "c0a8dc47-13fa-45d7-b55a-e69d798b3244", "value": "nmass malware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" ], "synonyms": [], "type": [] }, "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", "value": "Nocturnal Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.node_stealer", "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "synonyms": [], "type": [] }, "uuid": "e7890226-7e39-4902-bbce-e384e0847303", "value": "NodeStealer" }, { "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", "value": "Nokki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust", "https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/", "https://malgamy.github.io/malware-analysis/Nokoyawa/", "https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html", "https://github.com/MalGamy/YARA_Rules/blob/main/Nokoyawa.yara" ], "synonyms": [], "type": [] }, "uuid": "934a633a-21f7-4010-a83a-0b64c365355d", "value": "Nokoyawa Ransomware" }, { "description": "A wiper that overwrites target files with itself, thus spreading in virus-fashion.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nominatus_toxic_battery", "https://twitter.com/struppigel/status/1501473254787198977", "https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html" ], "synonyms": [], "type": [] }, "uuid": "2fef9561-e16f-47a9-90c6-a68a1b20cc95", "value": "NominatusToxicBattery" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.noopdoor", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf", "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", "https://www.macnica.co.jp/business/security/security-reports/pdf/cyberespionage_report_2023.pdf" ], "synonyms": [ "HiddenFace" ], "type": [] }, "uuid": "75850d37-317c-4211-b9cb-eb60a7ea22bd", "value": "NOOPDOOR" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nopyfy", "https://labs.k7computing.com/index.php/say-no-to-nopyfy/" ], "synonyms": [], "type": [] }, "uuid": "62fe621a-04aa-4b5d-95d7-c1c3e4bcd17c", "value": "Nopyfy" }, { "description": "An open source C2 framework intended for pentest and red teaming activities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.northstar", "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "synonyms": [], "type": [] }, "uuid": "b783b185-e05c-481b-8c04-d0ba1b745713", "value": "NorthStar" }, { "description": "According to PCrisk, Nosu is the name of a malicious program classified as a stealer. This malware is designed to steal information from infected machines. The Nosu stealer can extract a wide variety of data from devices and installed applications. The most active campaigns associated with Nosu were noted in North and South America, as well as Southeast Asia.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nosu", "https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer" ], "synonyms": [], "type": [] }, "uuid": "a67b25dd-527f-40fa-b7e0-c93e856c0a4c", "value": "Nosu" }, { "description": "Nova Stealer is a new information stealer that is offered as Malware-as-a-Service by a new French-speaking actor called \"Nova Sentinel\". Its capabilities include password stealing, browser injections, crypto wallet stealing, discord injections, and screen recordings. Parts of its source code have been made available on GitHub, with certain \"Premium\" features missing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nova", "https://www.gatewatcher.com/lab/groupe-nova-sentinel/", "https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/", "https://github.com/ElasBlueWHale2/Malicord" ], "synonyms": [ "Malicord" ], "type": [] }, "uuid": "fd09577f-18f4-4635-83d8-b64b9e3253f1", "value": "Nova Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/" ], "synonyms": [], "type": [] }, "uuid": "a077c784-6bc5-488d-b844-978d8d081390", "value": "NoxPlayer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" ], "synonyms": [], "type": [] }, "uuid": "6207668d-af17-44a6-97a2-e1b448264529", "value": "Nozelesn (Decryptor)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.no_justice", "https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf" ], "synonyms": [], "type": [] }, "uuid": "26d37e90-7061-4785-a9cf-4302d0a7dc6b", "value": "No-Justice" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", "https://twitter.com/malwrhunterteam/status/910952333084971008", "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/", "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin" ], "synonyms": [], "type": [] }, "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", "value": "nRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nspx30", "https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/", "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_2_facundo_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "7c67248b-d655-44ff-a69b-431bf139d373", "value": "NSPX30" }, { "description": "Ntospy is a credential stealer leveraging a well-established technique of abusing the Windows Network Provider interface, a method documented as early as 2004 and exemplified by tools like NPPSpy. Posing as a legitimate Network Provider DLL, Ntospy injects itself into the Windows authentication process, hijacking login attempts to harvest user credentials. It achieves this by registering a malicious Network Provider, typically named \"credman,\" which intercepts authentication requests and redirects them to it malicious DLL. \r\n\r\nInstead of immediately exfiltrating the stolen data, Ntospy employs a form of local storage, writing the captured credentials in cleartext to files disguised as harmless Microsoft Update packages using the .msu file extension. These files are often planted in system directories with believable names like \"c:/programdata/package cache/windows10.0-kb5009543-x64.msu,\" further masking their malicious purpose.\r\n\r\nAdding to its stealth, Ntospy incorporates obfuscation techniques to evade detection. This includes using seemingly innocuous filenames for its DLL, often mimicking critical system files like \"ntoskrnl.dll\" to blend in. Some variants even go a step further by encrypting the credential storage file path within the DLL, requiring analysis and decryption to uncover its full functionality.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ntospy", "https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" ], "synonyms": [], "type": [] }, "uuid": "5afd0fe6-26fe-4b90-b48e-0cb0dfb76fdf", "value": "Ntospy" }, { "description": "NSFOCUS describes PhantomNugget as a modularized malware toolkit, that was spread using EternalBlue. Payloads included a RAT and a XMRig miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nugget_phantom", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf" ], "synonyms": [], "type": [] }, "uuid": "25a5ded7-6167-4f9a-b55d-9cfc9a9a9f22", "value": "NuggetPhantom" }, { "description": "Nullmixer is a dropper/loader for additional malware. It is known to drop a vast amount of different malware, such as info stealers, rats and additional loaders. Samples observed contained up to 8 additional payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer", "https://www.youtube.com/watch?v=92jKJ_G_6ho", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", "https://www.youtube.com/watch?v=yLQfDk3dVmA", "https://www.youtube.com/watch?v=v_K_zoPGpdk", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "synonyms": [], "type": [] }, "uuid": "430c92f4-95b4-4b1c-813a-46d3e53a0d1e", "value": "Nullmixer" }, { "description": "According to PCrisk, Numando is a banking trojan written in the Delphi programming language. As the malicious program's classification implies, it is designed to steal banking information. Numando primarily targets Brazil, with seldom campaigns occurring in Mexico and Spain.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.numando", "https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/", "https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/" ], "synonyms": [], "type": [] }, "uuid": "69d63487-6200-4f71-845e-df3997402b00", "value": "Numando" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit", "https://twitter.com/Bank_Security/status/1134850646413385728", "https://twitter.com/r3c0nst/status/1135606944427905025", "http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf" ], "synonyms": [], "type": [] }, "uuid": "83cfa206-b485-47fd-b298-1b008ab86507", "value": "NVISOSPIT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nworm", "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/", "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/", "https://bazaar.abuse.ch/browse/tag/N-W0rm/" ], "synonyms": [ "NWorm", "nw0rm" ], "type": [] }, "uuid": "bdc00b3a-2ceb-4818-83fa-96fb11c8540f", "value": "N-W0rm" }, { "description": "Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", "https://www.lawfareblog.com/what-point-these-nation-state-indictments", "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0", "https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/", "https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled", "https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/", "https://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim", "https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf", "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/", "https://www.cert.pl/en/news/single/nymaim-revisited/", "https://blog.talosintelligence.com/goznym/", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", "https://bitbucket.org/daniel_plohmann/idapatchwork" ], "synonyms": [ "nymain" ], "type": [] }, "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", "value": "Nymaim" }, { "description": "According to bin.re, in April 2018 a new version of Nymaim appeared, that has dropped previous obfuscation, and uses a new wordlist based DGA (Domain Generation Algorithm). ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" ], "synonyms": [], "type": [] }, "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", "value": "Nymaim2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nyxem", "https://threats.kaspersky.com/en/threat/Email-Worm.Win32.Nyxem/" ], "synonyms": [], "type": [] }, "uuid": "d36a3223-5952-48c9-b2dc-87533fa032dc", "value": "Nyxem" }, { "description": "OATBOAT is a loader that loads and executes shellcode payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oatboat", "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en" ], "synonyms": [], "type": [] }, "uuid": "42222769-e215-41bc-b550-c878403c9d75", "value": "OATBOAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat", "https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf", "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", "https://www.secrss.com/articles/24995", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", "https://securelist.com/transparent-tribe-part-2/98233/", "https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" ], "synonyms": [], "type": [] }, "uuid": "33c138a0-85d3-4497-90e9-ada1d501a100", "value": "Oblique RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene", "https://habr.com/ru/post/27053/", "https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html" ], "synonyms": [], "type": [] }, "uuid": "8f623a37-80a4-4240-9586-6ea7a2a97e30", "value": "Obscene" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.observer_stealer", "https://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d" ], "synonyms": [], "type": [] }, "uuid": "9ddbf63f-c9a2-4bd6-8449-189f2d2ce5e4", "value": "ObserverStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceanmap", "https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1", "https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/", "https://cert.gov.ua/article/6276894", "https://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b" ], "synonyms": [], "type": [] }, "uuid": "6e33d8cd-f8aa-4be4-9619-867a469a1425", "value": "OCEANMAP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" ], "synonyms": [], "type": [] }, "uuid": "01cef4e7-a8a8-4b42-b509-f91c5d415354", "value": "Oceansalt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus", "https://isc.sans.edu/diary/26918", "https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw", "https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf", "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" ], "synonyms": [], "type": [] }, "uuid": "777b76f9-5390-4899-b201-ebaa8a329c96", "value": "Octopus (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" ], "synonyms": [], "type": [] }, "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", "value": "OddJob" }, { "description": "Spam bot that was active around 2007 and after, one of the first malware families to use a domain generation algorithm.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oderoor", "https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//", "https://bin.re/blog/krakens-two-domain-generation-algorithms/", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" ], "synonyms": [ "Bobax", "Kraken" ], "type": [] }, "uuid": "fb5c1af2-9028-47c7-937b-ab0ba0078485", "value": "Oderoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", "value": "Odinaff" }, { "description": "a new, previously unknown backdoor that we named Okrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "af2e4e0d-e8ae-48a9-aac4-2a49242c68d2", "value": "Okrum" }, { "description": "According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28.\r\nIt targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data.\r\nIn some places it is mistakenly named \"Sasfis\", which however seems to be a completely different and unrelated malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait", "https://www.secjuice.com/fancy-bear-review/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ "Sasfis" ], "type": [] }, "uuid": "b79a6b61-f122-4823-a4ab-bbab89fcaf75", "value": "OLDBAIT" }, { "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", "https://www.youtube.com/watch?v=wCv9SiSA7Sw", "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://securelist.com/the-devils-in-the-rich-header/84348/", "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", "https://attack.mitre.org/groups/G0034", "https://www.youtube.com/watch?v=rjA0Vf75cYk", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/", "https://www.mbsd.jp/blog/20180215.html", "https://www.youtube.com/watch?v=1jgdMY12mI8", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://securelist.com/olympic-destroyer-is-still-alive/86169/", "https://www.youtube.com/watch?v=a4BZ3SZN-CI", "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights", "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/", "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/" ], "synonyms": [ "SOURGRAPE" ], "type": [] }, "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", "value": "Olympic Destroyer" }, { "description": "According to Symantec, this malware has been deployed against IT services companies in the U.S. and Europe. A multi-stage backdoor, the first stage is a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it. The main payload will download a publicly available file from GitHub. It will then create a folder in OneDrive named deviceId_n_ for each infected machine and upload a file to OneDrive to signal the attackers the status of a new infection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ondritols", "https://www.security.com/threat-intelligence/cloud-espionage-attacks" ], "synonyms": [ "Onedrivetools" ], "type": [] }, "uuid": "ae7da05e-0ea6-4a9d-a0fa-8bfe9c74a20c", "value": "Ondritols" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators", "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" ], "synonyms": [], "type": [] }, "uuid": "82733125-da67-44ff-b2ac-b16226088211", "value": "ONHAT" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oni", "https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/" ], "synonyms": [], "type": [] }, "uuid": "c182f370-4721-4968-a3b1-a7e96ab876df", "value": "Oni" }, { "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://blog.f-secure.com/podcast-dukes-apt29/", "https://www.f-secure.com/weblog/archives/00002764.html", "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [], "type": [] }, "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", "value": "OnionDuke" }, { "description": "A spambot that has been observed being used for spreading Ursnif, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", "https://outpost24.com/blog/an-analysis-of-a-spam-distribution-botnet", "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html", "https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/", "https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html" ], "synonyms": [ "Onliner", "SBot" ], "type": [] }, "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", "value": "OnlinerSpambot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "synonyms": [], "type": [] }, "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", "value": "OopsIE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", "https://forum.malekal.com/viewtopic.php?t=21806", "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html" ], "synonyms": [], "type": [] }, "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", "value": "Opachki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opcjacker", "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html" ], "synonyms": [], "type": [] }, "uuid": "22f732f4-efcf-4eb5-8c51-8338dfd33297", "value": "OpcJacker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opensupdater", "https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "03d44ec8-ebb4-4d90-9773-c11f4a7de074", "value": "OpenSUpdater" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.open_carrot", "https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/" ], "synonyms": [], "type": [] }, "uuid": "7fb5882e-1682-45d3-9dfb-204e6c1ca4c9", "value": "OpenCarrot" }, { "description": "This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", "https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/", "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" ], "synonyms": [], "type": [] }, "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", "value": "OpGhoul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" ], "synonyms": [], "type": [] }, "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", "value": "OpBlockBuster" }, { "description": "FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "092262b0-c631-400d-9f38-017cd59a14fd", "value": "ORANGEADE" }, { "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" ], "synonyms": [], "type": [] }, "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", "value": "OrcaRAT" }, { "description": "A malware generating DGA domains seeded by the Bitcoin Genesis Block. This family has strong code overlap with win.victorygate.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard", "https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/", "https://malverse.it/stack-string-decryptor-con-ghidra-emulator-orchard", "https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/", "https://blog.netlab.360.com/orchard-dga/" ], "synonyms": [ "Antavmu" ], "type": [] }, "uuid": "094159e7-cc4f-4c47-b24e-b0a32ba23a58", "value": "Orchard" }, { "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", "https://assets.virustotal.com/reports/2021trends.pdf", "https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/", "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://asec.ahnlab.com/en/45462/" ], "synonyms": [ "Schnorchel" ], "type": [] }, "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", "value": "Orcus RAT" }, { "description": "This malware claims to be a ransomware, but it's actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration). ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html", "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", "https://www.gdata.de/blog/2017/11/30151-ordinypt" ], "synonyms": [ "GermanWiper", "HSDFSDCrypt" ], "type": [] }, "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", "value": "Ordinypt" }, { "description": "OriginBot is a modular information stealer which can also download and execute other malicious payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.originbot", "https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document" ], "synonyms": [ "OriginBotnet", "OriginLoader" ], "type": [] }, "uuid": "1a2ae63f-323f-4ff7-b465-484f1e87fca4", "value": "OriginBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.originlogger", "https://unit42.paloaltonetworks.com/originlogger/", "https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims", "http://ropgadget.com/posts/originlogger.html" ], "synonyms": [], "type": [] }, "uuid": "c1680c8e-c2e2-4975-82ad-8829b3918d70", "value": "OriginLogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orpcbackdoor", "https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477", "https://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f", "https://paper.seebug.org/3117/" ], "synonyms": [], "type": [] }, "uuid": "27c09b74-6e1e-4567-ae10-75eee3395c36", "value": "ORPCBackdoor" }, { "description": "Oski is a stealer written in C++ that appeared around November 2019 and is being sold for between 70$ to 100$ on Russian-speaking forums. It collects different types of data (cryptocurrency wallets, saved passwords, files matching an attacker-defined pattern etc) and it exfiltrates it in a zip file uploaded to the attacker's panel.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", "https://3xp0rt.com/posts/mars-stealer", "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", "https://twitter.com/albertzsigovits/status/1160874557454131200", "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601", "https://cyberint.com/blog/research/mars-stealer/", "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view", "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/", "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468" ], "synonyms": [], "type": [] }, "uuid": "414d8e68-77e7-4157-936a-d70d80e5efc0", "value": "Oski Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.osno", "https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit", "https://labs.k7computing.com/?p=21562" ], "synonyms": [ "Babax" ], "type": [] }, "uuid": "e2be4da9-0a8f-45a5-a69b-7f16acb39398", "value": "Osno" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ousaban", "https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services", "https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/", "https://www.atomicmatryoshka.com/post/ousaban-msi-installer-analysis" ], "synonyms": [], "type": [] }, "uuid": "6620c7ce-63a2-48db-a584-4c5c516bda13", "value": "Ousaban" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outcrypt", "https://id-ransomware.blogspot.com/2020/07/outcrypt-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "90e5a21a-c058-47a0-aa4d-bffde7ba698e", "value": "OutCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf", "https://twitter.com/VK_Intel/status/1085820673811992576", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "FACADE" ], "type": [] }, "uuid": "10a521e4-b3b9-4feb-afce-081531063e7b", "value": "Outlook Backdoor" }, { "description": "According to MITRE, OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outsteel", "https://www.telsy.com/download/6372/?uid=d3eb8e1489" ], "synonyms": [], "type": [] }, "uuid": "d2aab7c9-b83a-4889-9fae-c495ec4d324d", "value": "OutSteel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking", "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/" ], "synonyms": [], "type": [] }, "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", "value": "Overlay RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" ], "synonyms": [], "type": [] }, "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", "value": "OvidiyStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/", "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "luckyowa" ], "type": [] }, "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", "value": "owaauth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy", "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf", "https://securelist.com/the-sessionmanager-iis-backdoor/106868/", "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20", "https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/" ], "synonyms": [], "type": [] }, "uuid": "7a6d97a2-821f-4083-9180-3f70a851ad5e", "value": "Owlproxy" }, { "description": "Kaspersky describes this as a OWA add-on that has credential stealing capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owowa", "https://securelist.com/owowa-credential-stealer-and-remote-access/105219/" ], "synonyms": [], "type": [] }, "uuid": "aa985bc5-92e4-43c6-a01b-1de02818cfc9", "value": "Owowa" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oxtarat", "https://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/" ], "synonyms": [], "type": [] }, "uuid": "a5b379c0-7934-4a50-9a34-7ad1524b1fb0", "value": "OxtaRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat", "https://twitter.com/BushidoToken/status/1266075992679948289" ], "synonyms": [], "type": [] }, "uuid": "c9eefa23-4881-490f-abff-c78fe0c165ff", "value": "OZH RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ozone", "https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html", "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel" ], "synonyms": [], "type": [] }, "uuid": "4e319700-9350-4656-91f5-0b495af4e8ad", "value": "Ozone RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/" ], "synonyms": [], "type": [] }, "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", "value": "PadCrypt" }, { "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", "value": "paladin" }, { "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847", "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", "https://www.youtube.com/watch?v=J7VOfAJvxEY", "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", "https://www.spamhaus.org/news/article/771/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [ "ZeusPanda" ], "type": [] }, "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", "value": "PandaBanker" }, { "description": "According to PCrisk, Panda is the name of a malicious program, which is classified as a stealer. It is a new variant of CollectorStealer.\r\n\r\nThe aim of this malware is to extract and exfiltrate sensitive and personal information from infected devices. Panda primarily targets data relating to cryptocurrency wallets.\r\n\r\nThis piece of malicious software has been observed being actively distributed via spam campaigns - large-scale operations during which thousands of scam emails are sent. The spam mail proliferating Panda stealer heavily targeted users from the United States, Germany, Japan, and Australia.\r\n\r\nThe deceptive email letters concerned business-related topics (e.g., fake product quote requests, etc.). Panda stealer is a dangerous program, and as such - its infections must be removed immediately upon detection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware" ], "synonyms": [], "type": [] }, "uuid": "7fa924a9-4d7a-406c-b298-bf3b01557ac8", "value": "Panda Stealer" }, { "description": "Pandora ransomware was obtained by vx-underground at 2022-03-14.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://dissectingmalwa.re/blog/pandora/", "https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box", "https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/", "https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/" ], "synonyms": [], "type": [] }, "uuid": "e43b67bc-3c16-4a69-b63d-f6bf3d732e1b", "value": "Pandora" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora_rat", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://github.com/AZMagic/Pandora-Hvnc-Hidden-Browser-Real-Vnc-Working-Chromium-Edge-Opera-Gx", "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware" ], "synonyms": [ "Pandora hVNC RAT" ], "type": [] }, "uuid": "db259f3d-b8a1-44d4-8c4d-15bfea2a0c59", "value": "Pandora RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paradies_clipper", "https://www.youtube.com/watch?v=wjoH9jW2EPQ", "https://perception-point.io/blog/behind-the-attack-paradies-clipper-malware/" ], "synonyms": [], "type": [] }, "uuid": "dd1bb757-6084-408a-8090-4e2bf0834c09", "value": "Paradies Clipper" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise", "https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool", "https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/", "https://asec.ahnlab.com/en/47590/", "https://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html", "https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/", "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again" ], "synonyms": [], "type": [] }, "uuid": "4f7e7602-79f8-4eea-8239-fb2d4ceadb9f", "value": "Paradise" }, { "description": "Parallax is a Remote Access Trojan used by attackers to gain access to a victim's machine. It was involved in one of the many infamous \"coronamalware\" campaigns. Basically, the attackers abused the COVID-19 pandemic news to lure victims into opening themed emails spreading parallax.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax", "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", "https://twitter.com/malwrhunterteam/status/1227196799997431809", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://blog.morphisec.com/parallax-rat-active-status", "https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration", "https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/", "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html" ], "synonyms": [ "ParallaxRAT" ], "type": [] }, "uuid": "39f74f33-467e-47a4-bd2f-e0a191dee9ca", "value": "Parallax RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" ], "synonyms": [], "type": [] }, "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, { "description": "PartyTicket is a Go-written ransomware, which was described as a poorly designed one by Zscaler. According to Brett Stone-Gross this malware is likely intended to be a diversion from the Hermetic wiper (aka. KillDisk.NCV, DriveSlayer) attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.partyticket", "https://www.brighttalk.com/webcast/15591/534324", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", "https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", "https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/", "https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/", "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", "https://securelist.com/new-ransomware-trends-in-2022/106457/", "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/" ], "synonyms": [ "Elections GoRansom", "HermeticRansom", "SonicVote" ], "type": [] }, "uuid": "697d905a-5353-43ed-97e0-15f7d2763b69", "value": "PartyTicket" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.passlock", "https://id-ransomware.blogspot.com" ], "synonyms": [], "type": [] }, "uuid": "1e78c732-c2f0-4178-a1f5-ccdab0e2d4b8", "value": "Passlock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://twitter.com/TrendMicroRSRCH/status/1389422784808378370", "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf", "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/" ], "synonyms": [ "Cobalt" ], "type": [] }, "uuid": "46dc64c6-e927-44fc-b4a4-efd1677ae030", "value": "Pay2Key" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin", "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/" ], "synonyms": [], "type": [] }, "uuid": "313c81ab-fba2-4577-8de6-863515a65c45", "value": "PayloadBIN" }, { "description": "PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", "https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html" ], "synonyms": [], "type": [] }, "uuid": "42100d7e-39c7-47c0-bc9e-3c590ed0d837", "value": "PcShare" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash", "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf", "https://asec.ahnlab.com/en/30532/", "https://asec.ahnlab.com/en/59590/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133c", "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2", "https://asec.ahnlab.com/en/30022/", "https://blog.reversinglabs.com/blog/hidden-cobra" ], "synonyms": [], "type": [] }, "uuid": "d6da9699-778c-4c97-82f4-1e9113283bd4", "value": "PEBBLEDASH" }, { "description": "PeddleCheap is a module of the DanderSpritz framework which surface with the \"Lost in Translation\" release of TheShadowBrokers leaks. In May 2020, ESET mentioned that they found mysterious samples of PeddleCheap packed with a custom packer so far exclusively attributed to Winnti.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap", "https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/", "https://twitter.com/ESETresearch/status/1258353960781598721", "https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#", "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/" ], "synonyms": [], "type": [] }, "uuid": "ee450087-00e4-4b59-9ea7-6650d5551ea9", "value": "PeddleCheap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pekraut", "https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing" ], "synonyms": [], "type": [] }, "uuid": "88f636b9-9c2e-4faf-ab83-b91009bf47fc", "value": "Pekraut" }, { "description": "Wrapper for Kazuar.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pelmeni", "https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz", "https://youtu.be/z2xUevYS-mg?t=1334" ], "synonyms": [], "type": [] }, "uuid": "99a3e821-2080-47ae-abed-7694d5fa81e6", "value": "Pelmeni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" ], "synonyms": [], "type": [] }, "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", "value": "Penco" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pennywise", "https://blog.cyble.com/2022/06/30/infostealer/" ], "synonyms": [], "type": [] }, "uuid": "c222def2-0f1f-4c74-9e37-757e964ff3c6", "value": "PennyWise Stealer" }, { "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.peppy_rat", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", "value": "Peppy RAT" }, { "description": "The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/" ], "synonyms": [], "type": [] }, "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", "value": "PetrWrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://blogs.blackberry.com/en/2016/07/petya-and-mischa-for-all-part-ii-theyre-here", "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", "https://securelist.com/petya-the-two-in-one-trojan/74609/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://blog.avast.com/inside-petya-and-mischa-ransomware", "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", "https://www.malwarebytes.com/blog/news/2016/06/petya-and-mischa-ransomware-duet-p2", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", "https://blogs.blackberry.com/en/2016/05/petya-and-mischa-for-all-the-raas-boom-expands-to-include-the-petya-mischa-combo", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/" ], "synonyms": [], "type": [] }, "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", "value": "Petya" }, { "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift" ], "synonyms": [ "ReRol" ], "type": [] }, "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", "value": "pgift" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" ], "synonyms": [], "type": [] }, "uuid": "3a77d0d4-6fb1-4092-9fe3-bf1f51a6677c", "value": "PhanDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phemedrone_stealer", "https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1", "https://spycloud.com/blog/phemedrone-stealer/", "https://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html", "https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html", "https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/FaceBook_Ad_Spreads_Novel_Malware.pdf", "https://github.com/nullixx/Phemedrone-Stealer/blob/master/README.md" ], "synonyms": [ "Ov3r_Stealer" ], "type": [] }, "uuid": "13c5f597-d7e4-41c7-8143-060a024a9cac", "value": "Phemedrone Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware" ], "synonyms": [], "type": [] }, "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", "value": "Philadephia Ransom" }, { "description": "MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://securelist.com/cis-ransomware/104452/", "https://twitter.com/rivitna2/status/1674718854549831681", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware", "https://blogs.blackberry.com/en/2021/11/zebra2104", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/", "https://cert.pl/en/posts/2023/02/breaking-phobos/", "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", "https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/", "https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.pcrisk.com/removal-guides/29391-force-ransomware", "https://www.s-rminform.com/latest-insights/cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-extortion", "https://www.dnsc.ro/vezi/document/alert-backmydata-ransomware-eng-pdf", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/", "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew", "https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/", "https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/", "https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/", "https://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos" ], "synonyms": [], "type": [] }, "uuid": "d061daca-4415-4b3e-9034-231e37857eed", "value": "Phobos" }, { "description": "Keylogger, information stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", "https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger" ], "synonyms": [], "type": [] }, "uuid": "601ea680-68ec-43c9-ba20-88eaaefe8818", "value": "Phoenix Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf" ], "synonyms": [], "type": [] }, "uuid": "58aff639-0eda-4a80-9fe8-22e0498af728", "value": "Phoenix Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phonk", "https://twitter.com/abuse_ch/status/1630111198036348928" ], "synonyms": [], "type": [] }, "uuid": "e0aa3f91-59d6-4344-bcc5-d602aaab21f9", "value": "Phonk" }, { "description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/" ], "synonyms": [ "Rizzo" ], "type": [] }, "uuid": "3aa6fd62-9b91-4136-af0e-08af7962ba4b", "value": "PHOREAL" }, { "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://bin.re/blog/phorpiex/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "https://research.checkpoint.com/2019/phorpiex-breakdown/", "https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", "https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html", "https://twitter.com/_CPResearch_/status/1447852018794643457", "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/", "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", "https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/", "https://www.johannesbader.ch/2016/02/phorpiex/" ], "synonyms": [ "Trik", "phorphiex" ], "type": [] }, "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", "value": "Phorpiex" }, { "description": "PHOTOFORK is a downloader which is a modified version of GZIPLOADER. It was first detected in February 2023 and was distributed by TA581 along with an unattributed threat activity cluster that facilitated initial access. In this version, the configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. Instead, it uses a custom algorithm previously used by the Standard core loader. This algorithm decrypts DLL strings that are needed to resolve handles to the necessary DLLs later on. The strings are decrypted using an algorithm that splits the data into DWORDs and XORs it against a random key. The main objective of PHOTOFORK remains the same as GZIPLOADER, i.e. to deliver an encrypted bot and core DLL loader (forked) that loads the Forked ICEDID bot into memory using a custom PE format.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.photofork", "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid" ], "synonyms": [], "type": [] }, "uuid": "10d3dd4b-8858-4131-bcf0-60982f36e43d", "value": "PHOTOFORK" }, { "description": "PHOTOLITE is the lite version of the GZIPLOADER with limited capabilities i.e. for example it does not have any functionality to exfiltrate the host information. This new variant is observed as a follow-on payload in a TA542 Emotet campaign back in November'22. contains a static URL to download a \"Bot Pack\" file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.photolite", "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid" ], "synonyms": [], "type": [] }, "uuid": "e4609860-99f9-47c9-9e36-350611466f3c", "value": "PHOTOLITE" }, { "description": "A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader", "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid", "https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns", "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", "https://leandrofroes.github.io/posts/Reversing-a-recent-IcedID-Crypter/", "https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/", "https://isc.sans.edu/diary/29740", "https://www.team-cymru.com/post/from-chile-with-malware", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", "https://isc.sans.edu/diary/28636", "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure", "https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf", "https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1", "https://www.elastic.co/security-labs/unpacking-icedid", "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid", "https://0x0d4y.blog/icedid-technical-analysis/", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html", "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing", "https://www.youtube.com/watch?v=4j8t9kFLFIY", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/", "https://twitter.com/felixw3000/status/1521816045769662468", "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/" ], "synonyms": [ "GZIPLOADER" ], "type": [] }, "uuid": "3418ca80-73d9-49ab-836a-98230a83c67d", "value": "PhotoLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.picasso_loader", "https://cert.gov.ua/article/5098518", "https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/", "https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/" ], "synonyms": [], "type": [] }, "uuid": "77223b00-0299-416b-9b91-fa0cf1306cd3", "value": "PicassoLoader" }, { "description": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed solely utilized by APT34.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] }, "uuid": "2eb298de-e14b-46c1-a45f-26ae0d2c4003", "value": "PICKPOCKET" }, { "description": "According to Mandiant, PIEHOP is a disruption tool written in Python and packaged with PyInstaller version 2.1+ that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU.\r\nPIEHOP expects its main function to be called via another Python file, supplying either the argument control=True or upload=True. At a minimum, it requires the following arguments: oik, user, and pwd, and if called with control=True, it must also be supplied with iec104.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.piehop", "https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response" ], "synonyms": [], "type": [] }, "uuid": "2b025b03-9241-4fe4-b691-46c7bace87e4", "value": "PIEHOP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pierogi", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor", "https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/" ], "synonyms": [], "type": [] }, "uuid": "2bda00e8-e6a7-448d-8dfa-4f2276230e8b", "value": "Pierogi" }, { "description": "Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot", "https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot", "https://blog.cyber5w.com/2024/02/25/pikabotloader/", "https://www.youtube.com/watch?v=k2rH0ISuMwE", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html", "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html", "https://www.elastic.co/security-labs/pikabot-i-choose-you", "https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/", "https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html", "https://kienmanowar.wordpress.com/2024/01/06/quicknote-technical-analysis-of-recent-pikabot-core-module/", "https://blog.cyber5w.com/malware%20analysis/PikabotLoader/", "https://www.malware-traffic-analysis.net/2023/10/03/index.html", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.hivepro.com/wp-content/uploads/2023/05/Pikabot-A-Stealthy-Backdoor-with-Ingenious-Evasion-Tactics_TA2023246.pdf", "https://blog.krakz.fr/notes/syswhispers2/", "https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html", "https://d01a.github.io/pikabot/", "https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html", "https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads", "https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/", "https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/", "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/Pikabot/Pikabot%20Loader.md", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://www.vmray.com/cyber-security-blog/why-your-edr-let-pikabot-jump-through/", "https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation", "https://www.zscaler.com/blogs/security-research/d-evolution-pikabot", "https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398", "https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/", "https://www.youtube.com/watch?v=lBuZ7cvl24Y", "https://blog.pulsedive.com/pikabot/" ], "synonyms": [], "type": [] }, "uuid": "992151e9-2d4d-4621-9a2e-f2219f97e55b", "value": "Pikabot" }, { "description": "According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.\r\n Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)\r\n Contains additional backdoor capabilities including:\r\n Running processes\r\n Downloading and executing files (T1105: Remote File Copy)\r\n Downloading and injecting DLLs (T1055: Process Injection)\r\n Communicates with a command and control (C2) server over HTTP using AES encrypted messages\r\n (T1071: Standard Application Layer Protocol)\r\n (T1032: Standard Cryptographic Protocol)\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "synonyms": [], "type": [] }, "uuid": "dec78ec5-f02d-461f-a8cc-cd4e80099e38", "value": "PILLOWMINT" }, { "description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke", "https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdf" ], "synonyms": [], "type": [] }, "uuid": "d837fc8e-1298-4911-9cfd-eb434a25bf3a", "value": "PinchDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinegrove", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust?hl=en" ], "synonyms": [], "type": [] }, "uuid": "8c9289d7-3e16-46dd-9506-187a42206cba", "value": "PINEGROVE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pingback", "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/" ], "synonyms": [], "type": [] }, "uuid": "a05b1eba-8e89-4d05-97ef-cacc5a083913", "value": "PingBack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", "https://www.snort.org/rule_docs/1-26941" ], "synonyms": [], "type": [] }, "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", "value": "pipcreat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon", "https://twitter.com/ESETresearch/status/1506904404225630210", "https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ], "synonyms": [], "type": [] }, "uuid": "34c0b51a-7139-44ab-b09a-cef646e66ba0", "value": "PipeMon" }, { "description": "Cisco Talos states that PipeSnoop can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipesnoop", "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks", "https://blog.talosintelligence.com/introducing-shrouded-snooper/" ], "synonyms": [ "TOFUPIPE" ], "type": [] }, "uuid": "29e75560-d16f-4434-a6a5-0258a916103d", "value": "PipeSnoop" }, { "description": "Infostealer", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirate_stealer", "https://mostwanted002.page/post/malware-analysis-and-triage-report-piratestealer", "https://mostwanted002.cf/post/malware-analysis-and-triage-report-piratestealer/" ], "synonyms": [], "type": [] }, "uuid": "19748031-0d8d-4e76-bf8e-0838f8a3d07c", "value": "PirateStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" ], "synonyms": [ "CookieCutter", "SHOTPUT" ], "type": [] }, "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", "value": "pirpi" }, { "description": "According to TG Soft, Pitou has beeen released on April 2014. It maybe an evolution of the rootkit \"Srzizbi\" developed on 2008. Pitou is a spambot, the main goal is send spam form the computer of victim.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf", "http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.565.9211&rep=rep1&type=pdf", "https://isc.sans.edu/diary/rss/25068", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", "https://johannesbader.ch/2019/07/the-dga-of-pitou/" ], "synonyms": [], "type": [] }, "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", "value": "Pitou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", "value": "PittyTiger RAT" }, { "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot", "http://blog.kleissner.org/?p=788" ], "synonyms": [ "Bublik", "Pykbot", "TBag" ], "type": [] }, "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", "value": "Pkybot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", "https://unit42.paloaltonetworks.com/atoms/rancortaurus/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html" ], "synonyms": [], "type": [] }, "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", "value": "PLAINTEE" }, { "description": "According to PCrisk, PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.\r\n\r\nAfter we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a \".PLAY\" extension. For example, a file titled \"1.jpg\" appeared as \"1.jpg.PLAY\", \"2.png\" as \"2.png.PLAY\", etc. Once the encryption process was completed, PLAY created a text file named \"ReadMe.txt\" on the desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.play", "https://www.orangecyberdefense.com/global/blog/playing-the-game", "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", "https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play", "https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy", "https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/", "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware", "https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/" ], "synonyms": [ "PlayCrypt" ], "type": [] }, "uuid": "52cf16fb-aab7-4d93-a624-e12c18064720", "value": "PLAY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" ], "synonyms": [], "type": [] }, "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", "value": "playwork" }, { "description": "PLEAD is a RAT used by the actor BlackTech. FireEye uses the synonyms GOODTIMES for the RAT module and DRAWDOWN for the respective downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", "http://www.freebuf.com/column/159865.html", "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html", "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf", "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020" ], "synonyms": [ "DRAWDOWN", "GOODTIMES", "Linopid" ], "type": [] }, "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", "value": "PLEAD (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html", "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america", "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", "https://www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", "value": "Ploutus ATM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx", "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" ], "synonyms": [], "type": [] }, "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", "value": "ployx" }, { "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims", "https://www.macnica.net/file/security_report_20160613.pdf", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", "https://www.secureworks.com/research/threat-profiles/bronze-olive", "https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/", "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", "https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_8_yi-chin_yu-tung_en.pdf", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "https://attack.mitre.org/groups/G0001/", "https://github.com/Still34/landing/blob/master/assets/slides/2024-08-Sailing%20the%20Seven%20SEAs.pdf", "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://mahmoudzohdy.github.io/posts/re/plugx/", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf", "https://twitter.com/stvemillertime/status/1261263000960450562", "https://blog.xorhex.com/blog/mustangpandaplugx-1/", "https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", "https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "https://asec.ahnlab.com/en/49097/", "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.secureworks.com/blog/bronze-president-targets-government-officials", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", "https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/", "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited", "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", "https://www.contextis.com/en/blog/dll-search-order-hijacking", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.contextis.com/de/blog/avivore", "https://blog.vincss.net/re027-china-based-apt-mustang-panda-might-still-have-continued-their-attack-activities-against-organizations-in-vietnam/", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/", "https://www.youtube.com/watch?v=IRh6R8o1Q7U", "https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack", "https://unit42.paloaltonetworks.com/unsigned-dlls/", "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://www.mmcert.org.mm/en/file-download/download/public/374", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://archive.is/LJFEF", "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.youtube.com/watch?v=C_TmANnbS2k", "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", "https://blog.xorhex.com/blog/mustangpandaplugx-2/", "https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf", "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers", "https://www.youtube.com/watch?v=6SDdUVejR2w", "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", "https://www.youtube.com/watch?v=r1zAVX_HnJg", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf", "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://unit42.paloaltonetworks.com/thor-plugx-variant/", "https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://engineers.ffri.jp/entry/2022/11/30/141346", "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/", "https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf", "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", "https://attack.mitre.org/groups/G0096", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf", "https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia", "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.contextis.com/en/blog/avivore", "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://www.recordedfuture.com/china-linked-ta428-threat-group", "https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf", "https://www.youtube.com/watch?v=qEwBGGgWgOM", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", "https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html", "https://www.youtube.com/watch?v=-7Swd1ZetiQ", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://www.secureworks.com/research/bronze-president-targets-ngos", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a", "https://tracker.h3x.eu/info/290", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", "https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/", "https://community.rsa.com/thread/185439", "https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html", "https://blog.vincss.net/vi/re012-2-phan-tich-ma-doc-loi-dung-dich-covid-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-nguyen-xuan-phuc-phan-2-2/", "https://blog.vincss.net/vi/re012-1-phan-tich-ma-doc-loi-dung-dich-covid-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-nguyen-xuan-phuc-phan-1-2/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://blog.talosintelligence.com/dragon-rank-seo-poisoning/", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/", "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", "https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf", "https://blog.xorhex.com/blog/reddeltaplugxchangeup/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_en.pdf", "https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html", "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/", "https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html", "https://www.youtube.com/watch?v=E2_DTQJjDYc", "https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://risky.biz/whatiswinnti/", "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/", "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/", "https://twitter.com/xorhex/status/1399906601562165249?s=20", "https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/", "https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution", "https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/", "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", "https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication" ], "synonyms": [ "Destroy RAT", "Kaba", "Korplug", "RedDelta", "Sogu", "TIGERPLUG" ], "type": [] }, "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "value": "PlugX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox", "https://securelist.com/plurox-modular-backdoor/91213/", "https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html" ], "synonyms": [], "type": [] }, "uuid": "6c8b94fc-f2d4-4347-aa49-4e6daac74314", "value": "Plurox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", "https://attack.mitre.org/groups/G0024", "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" ], "synonyms": [], "type": [] }, "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", "value": "pngdowner" }, { "description": "According to ESET Research, PNGLoad is a second-stage payload deployed by Worok on compromised systems and loaded either by CLRLoad or PowHeartBeat. PNGLoad has capabilities to download and execute additional payloads from a C&C server, which is likely how the attackers have deployed PNGLoad on systems compromised with PowHeartBeat. PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-bit .NET executable - obfuscated with .NET Reactor - that masquerades as legitimate software. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.png_load", "https://www.welivesecurity.com/2022/09/06/worok-big-picture/" ], "synonyms": [], "type": [] }, "uuid": "f99b030e-7ad5-4983-b28a-43c14efd27c9", "value": "PNGLoad" }, { "description": "uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown", "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html", "https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html", "https://twitter.com/cyb3rops/status/1129653190444703744" ], "synonyms": [ "Blitz", "PocoDownloader" ], "type": [] }, "uuid": "25804d6d-447f-4933-9ba0-876f9d054b68", "value": "PocoDown" }, { "description": "According to FireEye, POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded C&C commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "synonyms": [ "Barlaiy" ], "type": [] }, "uuid": "3b1c7856-5158-418c-90ad-afda67a66963", "value": "poisonplug" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", "https://attack.mitre.org/groups/G0011", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://engineers.ffri.jp/entry/2022/11/30/141346", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://community.riskiq.com/article/56fa1b2f", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "http://blogs.360.cn/post/APT_C_01_en.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://unit42.paloaltonetworks.com/atoms/crawling-taurus/", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://www.recordedfuture.com/china-linked-ta428-threat-group", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.youtube.com/watch?v=YCwyc6SctYs", "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii" ], "synonyms": [ "SPIVY", "pivy", "poisonivy" ], "type": [] }, "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "value": "Poison Ivy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_rat", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/" ], "synonyms": [], "type": [] }, "uuid": "69605d66-d77e-4e7b-8c64-381e2cd97c14", "value": "Poison RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat", "http://fireeyeday.com/1604/pdf/KeyNote_2.pdf", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", "https://youtu.be/DDA2uSxjVWY?t=344" ], "synonyms": [ "KABOB", "Zlib" ], "type": [] }, "uuid": "d30d5a0c-cbfb-49c3-99e7-1d6d1888fc2d", "value": "Poldat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polpo", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia" ], "synonyms": [], "type": [] }, "uuid": "40a4c426-5a50-4252-89ce-c857788568cc", "value": "PolPo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke", "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/", "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" ], "synonyms": [], "type": [] }, "uuid": "53371de9-291a-4d33-9fd2-058b43dddd5d", "value": "PolyglotDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" ], "synonyms": [], "type": [] }, "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", "value": "Polyglot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice", "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/", "https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2", "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/" ], "synonyms": [ "Chily" ], "type": [] }, "uuid": "31017b7c-c023-4247-b37d-f15f2df5d25a", "value": "PolyVice" }, { "description": "According to KnowBe4, Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", "https://www.knowbe4.com/pony-stealer", "https://www.youtube.com/watch?v=y8Z9KnL8s8s", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://github.com/nyx0/Pony", "http://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection", "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.youtube.com/watch?v=42yldTQ-fWA", "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", "https://intel471.com/blog/a-brief-history-of-ta505", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [ "Fareit", "Siplog" ], "type": [] }, "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", "value": "Pony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" ], "synonyms": [], "type": [] }, "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", "value": "PoohMilk Loader" }, { "description": "According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. This malware has been observed being used by UNC3944.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poortry", "https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/", "https://acsense.com/blog/a-guide-to-scattered-spider-data-breaches/", "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://www.trellix.com/about/newsroom/stories/research/scattered-spider-the-modus-operandi/", "https://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html", "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware" ], "synonyms": [], "type": [] }, "uuid": "17b87423-66e5-451e-8a84-5f4fd8bb2b01", "value": "POORTRY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb", "https://asec.ahnlab.com/ko/18796/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://securelist.com/apt-trends-report-q2-2018/86487/", "https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019" ], "synonyms": [], "type": [] }, "uuid": "e166950b-2d0d-41e1-aee6-ccf0895ce9a5", "value": "PoorWeb" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time" ], "synonyms": [], "type": [] }, "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", "value": "Popcorn Time" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portdoor", "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba", "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", "https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector" ], "synonyms": [], "type": [] }, "uuid": "7d3b71ff-6dbc-43bb-ae74-9aacdf80783c", "value": "PortDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" ], "synonyms": [], "type": [] }, "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", "value": "portless" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portstarter", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/" ], "synonyms": [], "type": [] }, "uuid": "20b3f812-f81b-4df2-9dbc-de83aa73d24f", "value": "PortStarter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" ], "synonyms": [], "type": [] }, "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", "value": "poscardstealer" }, { "description": "PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.\r\n\r\nPoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/", "https://redcanary.com/blog/getsystem-offsec/", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md", "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://censys.com/russian-ransomware-c2-network-discovered-in-censys-data/", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://paper.seebug.org/1301/", "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/", "https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/", "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://github.com/nettitude/PoshC2_Python/" ], "synonyms": [], "type": [] }, "uuid": "0215eae2-0ab7-4567-8ac6-1be36a7893a6", "value": "PoshC2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp", "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", "https://twitter.com/just_windex/status/1162118585805758464", "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/" ], "synonyms": [ "PUNCHTRACK" ], "type": [] }, "uuid": "15305d8b-55ff-47b2-b1c7-550a8a36ce36", "value": "PoSlurp" }, { "description": "PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.\r\n\r\nIn 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.\r\n\r\nIt collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration. \r\n\r\nPostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:\r\n• LG: logging into the C&C server\r\n• KE: acknowledging the succesful login to the C&C\r\n• FI: sending the status of a failed operation \r\n• SR: sending the status of a successful operation\r\n• GC: getting the next command\r\n\r\nThere are five classes that represent command groups:\r\n• CCButton: for file manipulation and screen capturing\r\n• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,\r\nsysteminfo, and netsh advfirewall. \r\n• CCComboBox: for file system management\r\n• CCList: for process management\r\n• CCBrush: for control of the malware itself\r\n\r\nIt stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.\r\n\r\nIts internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea", "https://securelist.com/unveiling-lazarus-new-campaign/110888/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf" ], "synonyms": [ "SIGNBT" ], "type": [] }, "uuid": "a31717c0-f25e-4da4-b1a8-84b6fdca2ea1", "value": "PostNapTea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer", "https://www.youtube.com/watch?v=MaPXDCq-Gf4", "https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/", "https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true", "https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20" ], "synonyms": [ "Poullight" ], "type": [] }, "uuid": "e4bcb3e4-17f6-4786-a19b-255c48a07f9a", "value": "Poulight Stealer" }, { "description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware", "https://youtu.be/oYLs6wuoOfg", "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html" ], "synonyms": [], "type": [] }, "uuid": "632001f4-a313-4753-b876-f85df00bc387", "value": "Povlsomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks", "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users", "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/", "https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file" ], "synonyms": [], "type": [] }, "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", "value": "Poweliks" }, { "description": ".NET variant of ps1.powerton.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerband", "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/" ], "synonyms": [], "type": [] }, "uuid": "ab603f29-9c10-4fb0-9fa3-e123fad11a31", "value": "POWERBAND" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", "https://twitter.com/VK_Intel/status/1141540229951709184" ], "synonyms": [], "type": [] }, "uuid": "f19e4583-e14d-41b7-9b7a-2bd7eeffd4b1", "value": "PowerCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" ], "synonyms": [], "type": [] }, "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "value": "PowerDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "9e3aaf82-268b-47d1-b953-3799c5e1f475", "value": "powerkatz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader", "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html" ], "synonyms": [], "type": [] }, "uuid": "de96ba83-27ec-434c-b77f-7a06820b6e78", "value": "PowerLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", "value": "PowerPool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner", "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "synonyms": [], "type": [] }, "uuid": "1e2dfce6-1e38-4cff-a78e-b43a442ae8e6", "value": "PowerShellRunner" }, { "description": "A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", "https://lokalhost.pl/gozi_tree.txt", "https://content.fireeye.com/m-trends/rpt-m-trends-2017", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/" ], "synonyms": [ "PUNCHBUGGY" ], "type": [] }, "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", "value": "Powersniff" }, { "description": "QUICKRIDE.POWER is a PowerShell variant of the QUICKRIDE backdoor. Its payloads are often saved to C:\\windows\\temp\\", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/", "https://content.fireeye.com/apt/rpt-apt38", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "QUICKRIDE.POWER" ], "type": [] }, "uuid": "606f778a-8b99-4880-8da8-b923651d627b", "value": "PowerRatankba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" ], "synonyms": [], "type": [] }, "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", "value": "prb_backdoor" }, { "description": "Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://securelist.com/a-predatory-tale/89779", "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html", "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "54041c03-5714-4247-9226-3c801f59bc07", "value": "Predator The Thief" }, { "description": "According to PCrisk, Prestige is ransomware - malware that prevents victims from accessing (opening) their files by encrypting them. Additionally, Prestige appends the \".enc\" extension to filenames and drops the \"README\" file containing a ransom note. An example of how this ransomware modifies filenames: it renames \"1.jpg\" to \"1.jpg.enc\", \"2.png\" to \"2.png.enc\", and so forth.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prestige", "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/", "https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" ], "synonyms": [], "type": [] }, "uuid": "156b617e-2ae4-47a8-9498-6343b24cc6fe", "value": "Prestige" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf", "https://securelist.com/cloudwizard-apt/109722/" ], "synonyms": [], "type": [] }, "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", "value": "Prikormka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/", "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502" ], "synonyms": [], "type": [] }, "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", "value": "Prilex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", "value": "PrincessLocker" }, { "description": "According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader", "https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service", "https://www.youtube.com/watch?v=Ldp7eESQotM", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://www.zscaler.com/blogs/security-research/peeking-privateloader", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey", "https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey", "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise", "https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1", "https://embee-research.ghost.io/identifying-privateloader-servers-with-censys/", "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html", "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f", "https://intel471.com/blog/privateloader-malware", "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/", "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign", "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e" ], "synonyms": [], "type": [] }, "uuid": "dc62452c-a563-4a98-a4cd-174a7125e566", "value": "PrivateLoader" }, { "description": "Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog", "https://twitter.com/ESETresearch/status/1433819369784610828", "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive" ], "synonyms": [], "type": [] }, "uuid": "41bd3db9-a6f2-49b4-966a-3c710827fa82", "value": "PRIVATELOG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.project_hook", "https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/" ], "synonyms": [], "type": [] }, "uuid": "d0c7815d-6039-436f-96ef-0767aabbdb36", "value": "Project Hook POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.project_wood", "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/", "https://www.sans.org/white-papers/33814/", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_2_facundo_en.pdf", "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" ], "synonyms": [], "type": [] }, "uuid": "c8513379-2be1-4802-87b6-50482f4dabd7", "value": "ProjectWood" }, { "description": "According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei", "https://twitter.com/honeymoon_ioc/status/1494016518694309896", "https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://blog.talosintelligence.com/prometei-botnet-improves/", "https://twitter.com/honeymoon_ioc/status/1494311182550904840", "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities" ], "synonyms": [], "type": [] }, "uuid": "eddb73d8-a33b-4cc6-b1d5-4697f2f4d0ee", "value": "Prometei (Windows)" }, { "description": "Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometheus", "https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html", "https://unit42.paloaltonetworks.com/prometheus-ransomware/", "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/", "https://twitter.com/inversecos/status/1441252744258461699?s=20", "https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd", "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea", "https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/", "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/" ], "synonyms": [], "type": [] }, "uuid": "5b5f10bf-2bbe-4019-810c-69eba58ebc81", "value": "Prometheus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.proteus", "https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html" ], "synonyms": [], "type": [] }, "uuid": "6d5724c6-646f-498a-b810-a6cee20f2b3c", "value": "proteus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.proto8_rat", "https://github.com/avast/ioc/tree/master/OperationDragonCastling" ], "synonyms": [], "type": [] }, "uuid": "2f5797e7-fe30-4d23-9fbe-4092d53b1660", "value": "Proto8RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot", "https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/", "https://www.youtube.com/watch?v=FttiysUZmDw" ], "synonyms": [], "type": [] }, "uuid": "03f30d04-4568-4c4c-88d6-b62efc72f33a", "value": "ProtonBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prynt_stealer", "https://twitter.com/vxunderground/status/1519632014361640960", "https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/" ], "synonyms": [], "type": [] }, "uuid": "09a1c6e8-c99f-4648-8210-08c25183f537", "value": "Prynt Stealer" }, { "description": "According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt", "https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/", "https://www.youtube.com/watch?v=uakw2HMGZ-I", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", "https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://asec.ahnlab.com/en/31683/" ], "synonyms": [], "type": [] }, "uuid": "bae89d64-30ce-4bfd-937b-0ec4ac846f60", "value": "PseudoManuscrypt" }, { "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/", "https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure", "https://blog.comodo.com/comodo-news/versions-of-psixbot/", "https://twitter.com/mesa_matt/status/1035211747957923840", "https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module", "https://twitter.com/seckle_ch/status/1169558035649433600", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [ "PsiXBot" ], "type": [] }, "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", "value": "PsiX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a", "https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/", "https://twitter.com/KevinPerlow/status/1160766519615381504" ], "synonyms": [ "ECCENTRICBANDWAGON" ], "type": [] }, "uuid": "1b1d3548-08db-4dff-878f-77d2f0b69777", "value": "PSLogger" }, { "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" ], "synonyms": [ "PSS" ], "type": [] }, "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", "value": "PC Surveillance System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "https://www.elastic.co/blog/playing-defense-against-gamaredon-group", "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", "https://threatmon.io/cybergun-technical-analysis-of-the-armageddons-infostealer/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/", "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/", "https://cert.gov.ua/news/46", "https://blogs.blackberry.com/en/2022/11/gamaredon-leverages-microsoft-office-docs-to-target-ukraine-government", "https://blogs.cisco.com/security/network-footprints-of-gamaredon-group", "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", "https://attack.mitre.org/groups/G0047", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", "https://blog.threatstop.com/russian-apt-gamaredon-group", "https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://cert.gov.ua/article/2807", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", "https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/", "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt", "https://cert.gov.ua/news/42", "https://cert.gov.ua/article/10702", "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/Gamaredon_activity.pdf" ], "synonyms": [ "Pterodo" ], "type": [] }, "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", "value": "Pteranodon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubload", "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", "https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/", "https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/", "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/", "https://twitter.com/katechondic/status/1556940169483264000", "https://www.lac.co.jp/lacwatch/report/20221117_003189.html" ], "synonyms": [ "ClaimLoader", "PUBLOAD" ], "type": [] }, "uuid": "db8f94e9-768d-4ad1-befb-55b4b820174f", "value": "PUBLOAD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", "http://blog.alyac.co.kr/1853" ], "synonyms": [], "type": [] }, "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", "value": "PubNubRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" ], "synonyms": [ "poscardstealer", "pospunk", "punkeypos" ], "type": [] }, "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", "value": "Punkey POS" }, { "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://www.infinitumit.com.tr/apt-35/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://cyble.com/blog/analysing-the-utg-q-010-campaign/", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/n1nj4sec/pupy", "https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/" ], "synonyms": [ "Patpoopy" ], "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", "value": "pupy (Windows)" }, { "description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://any.run/cybersecurity-blog/pure-malware-family-analysis/", "https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/", "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter", "https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "554993dc-2a30-43d9-ac96-fc9b9cca29f6", "value": "PureCrypter" }, { "description": "ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker", "https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/", "https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e", "https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md" ], "synonyms": [], "type": [] }, "uuid": "7a0f3f15-6920-4bc0-baa1-17dd8263948e", "value": "PureLocker" }, { "description": "PureLogs, also known as PureLog Stealer, is an infostealer malware from the Pure family that aims to steal sensitive information from infected devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelogs", "https://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/", "https://russianpanda.com/2023/12/26/Pure-Logs-Stealer-Malware-Analysis/", "https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives?hl=en", "https://any.run/cybersecurity-blog/pure-malware-family-analysis/" ], "synonyms": [], "type": [] }, "uuid": "02cd0480-5de3-4a61-9df8-376a4202b66b", "value": "PureLogs Stealer" }, { "description": "Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components. \r\n\r\nUpon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability. \r\n\r\nThe latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox", "https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit", "https://www.bleepingcomputer.com/news/security/purplefox-malware-infects-thousands-of-computers-in-ukraine/", "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", "https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/", "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20", "https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html", "https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html", "https://s.tencent.com/research/report/1322.html", "https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf", "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/", "https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/", "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html", "https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html", "https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit", "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html", "https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt" ], "synonyms": [], "type": [] }, "uuid": "31638e2b-1c6b-47b9-bbb9-7316f206b354", "value": "PurpleFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purpleink", "https://blog.talosintelligence.com/lilacsquid/" ], "synonyms": [], "type": [] }, "uuid": "dce38032-f18c-46a6-8e64-d7c0bbbed1f0", "value": "purpleink" }, { "description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave", "https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia" ], "synonyms": [], "type": [] }, "uuid": "0b63109b-0b4d-4f5d-a475-c91af4eed857", "value": "PurpleWave" }, { "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.secureworks.com/research/pushdo", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/", "http://malware-traffic-analysis.net/2017/04/03/index2.html", "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf" ], "synonyms": [], "type": [] }, "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", "value": "Pushdo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" ], "synonyms": [], "type": [] }, "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", "value": "Putabmow" }, { "description": "The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker", "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/" ], "synonyms": [], "type": [] }, "uuid": "2c835470-1bd2-4bd6-a83b-e9c3e12fa0ad", "value": "puzzlemaker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", "value": "PvzOut" }, { "description": "PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji", "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/", "https://www.group-ib.com/blog/prolock_evolution", "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.intrinsec.com/egregor-prolock/", "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", "https://www.group-ib.com/blog/prolock" ], "synonyms": [ "ProLock" ], "type": [] }, "uuid": "fe0cf4ab-f151-4549-8127-f669c319d546", "value": "PwndLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html", "https://twitter.com/physicaldrive0/status/573109512145649664", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf" ], "synonyms": [], "type": [] }, "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", "value": "pwnpos" }, { "description": "Py2exe built worm propagating via USB drives, having wiper features embedded in the logic (based on today's date being later than 2016-04-03 and existence of a file C:\\txt.txt)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pyfiledel", "https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm.win32.pyfiledel.aa" ], "synonyms": [], "type": [] }, "uuid": "ea8f44b0-6940-42e0-a93f-77a6b572b140", "value": "win.pyfiledel" }, { "description": "According to Akamai, Pykspa is a worm that spreads via Skype by sending messages to other Skype users with download links. Once downloaded, Pykspa extracts personal information and communicates with its command and control servers (C2) using a domain generation algorithm (DGA).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", "https://bin.re/blog/pykspas-inferior-dga-version/", "https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html", "https://www.youtube.com/watch?v=HfSQlC76_s4", "https://bin.re/blog/the-dga-of-pykspa/", "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/" ], "synonyms": [], "type": [] }, "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", "value": "Pykspa" }, { "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", "https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/", "https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/", "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" ], "synonyms": [ "Locky Locker" ], "type": [] }, "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", "value": "PyLocky" }, { "description": "Full-featured Python RAT compiled into an executable.\r\n\r\nPyXie RAT functionality includes:\r\n* Man-in-the-middle (MITM) Interception\r\n* Web-injects\r\n* Keylogging\r\n* Credential harvesting\r\n* Network Scanning\r\n* Cookie theft\r\n* Clearing logs\r\n* Recording video\r\n* Running arbitrary payloads\r\n* Monitoring USB drives and exfiltrating data\r\n* WebDav server\r\n* Socks5 proxy\r\n* Virtual Network Connection (VNC)\r\n* Certificate theft\r\n* Inventorying software\r\n* Enumerating the domain with Sharphound", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/" ], "synonyms": [ "PyXie RAT" ], "type": [] }, "uuid": "41217f01-2b03-41c1-88fc-cda1eee65f75", "value": "PyXie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" ], "synonyms": [], "type": [] }, "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", "value": "Qaccel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/", "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/" ], "synonyms": [], "type": [] }, "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", "value": "Qadars" }, { "description": "QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://blog.quosec.net/posts/grap_qakbot_navigation/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot", "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.secureworks.com/research/threat-profiles/gold-lagoon", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html", "https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/", "http://blog.opensecurityresearch.com/2011/12/intro-to-reversing-w32pinkslipbot.html", "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", "https://quosecgmbh.github.io/blog/grap_qakbot_strings.html", "https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/", "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/", "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", "https://github.com/m4now4r/Presentations/blob/main/Unveiling%20Qakbot%3A%20Exploring%20one%20of%20the%20Most%20Active%20Threat%20Actors/Unveiling%20Qakbot_Exploring%20one%20of%20the%20Most%20Active%20Threat%20Actors.pdf", "https://twitter.com/kienbigmummy/status/1460537501676802051", "https://isc.sans.edu/diary/rss/28568", "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", "https://twitter.com/Unit42_Intel/status/1461004489234829320", "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", "https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", "https://www.atomicmatryoshka.com/post/malware-headliners-qakbot", "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/", "https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/", "https://experience.mandiant.com/trending-evil-2/p/1", "https://sansorg.egnyte.com/dl/ALlvwK6fp0", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", "https://twitter.com/_alex_il_/status/1384094623270727685", "https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf", "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.youtube.com/watch?v=utqaGgnb5yM", "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", "https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/", "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", "https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/", "https://www.intrinsec.com/egregor-prolock/", "https://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/", "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", "https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/", "https://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii", "https://syrion.me/qakbot-bb-extractor/", "https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails", "https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps", "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", "https://experience.mandiant.com/trending-evil/p/1", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://bin.re/blog/the-dga-of-qakbot/", "https://www.bitsight.com/blog/emotet-botnet-rises-again", "https://www.justice.gov/d9/2023-08/23mj4244_application_redacted.pdf", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", "https://www.malwarology.com/posts/3-qakbot-process-injection/", "https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown", "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", "https://embee-research.ghost.io/shodan-censys-queries/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic", "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://invokere.com/posts/2024/02/automating-qakbot-malware-analysis-with-binary-ninja/", "https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources", "https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/", "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", "https://twitter.com/redcanary/status/1334224861628039169", "https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", "https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot", "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction", "https://www.um.edu.mt/library/oar/handle/123456789/76802", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", "https://www.youtube.com/watch?v=gk7fCC5RiAQ", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", "https://twitter.com/elisalem9/status/1381859965875462144", "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://d01a.github.io/pikabot/", "https://malcat.fr/blog/writing-a-qakbot-50-config-extractor-with-malcat/", "https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/", "https://blog.quosec.net/posts/grap_qakbot_strings/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://blog.lumen.com/qakbot-retool-reinfect-recycle/", "https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a", "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://twitter.com/ChouchWard/status/1405168040254316547", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://www.youtube.com/watch?v=1gExOpNqXYo", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://twitter.com/Corvid_Cyber/status/1455844008081641472", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://hatching.io/blog/reversing-qakbot", "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841", "https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view", "https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://redcanary.com/blog/intelligence-insights-december-2021", "https://embeeresearch.io/shodan-censys-queries/", "https://www.youtube.com/watch?v=0WNPjG8HjOw", "https://www.youtube.com/watch?v=4I0LF8Vm7SI", "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", "https://www.youtube.com/watch?v=M22c1JgpG-U", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", "https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "http://www.secureworks.com/research/threat-profiles/gold-lagoon", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://isc.sans.edu/diary/rss/28728", "https://www.shadowserver.org/news/qakbot-botnet-disruption/", "https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory", "https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/", "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", "https://x.com/bryceabdo/status/1790457784099614776", "https://twitter.com/TheDFIRReport/status/1361331598344478727", "https://blog.group-ib.com/prometheus-tds", "https://syrion.me/malware/qakbot-bb-extractor/", "https://malwareandstuff.com/upnp-messing-up-security-since-years/", "https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4", "https://isc.sans.edu/diary/rss/26862", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://www.malwarology.com/posts/4-qakbot-api-hashing/", "https://www.team-cymru.com/post/visualizing-qakbot-infrastructure", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot", "https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques", "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/", "https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb", "https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html", "https://twitter.com/embee_research/status/1592067841154756610?s=20", "https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis", "https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/", "https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight", "https://www.circl.lu/pub/tr-64/", "https://www.youtube.com/watch?v=WcFfgEZwEgM", "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", "https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga", "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/", "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", "https://www.malwarology.com/2022/04/qakbot-series-process-injection/", "https://www.youtube.com/watch?v=OCRyEUhiEyw", "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks", "https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html", "https://krebsonsecurity.com/2023/08/u-s-hacks-qakbot-quietly-removes-botnet-infections/", "https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/", "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", "https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros", "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", "https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/", "https://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i", "https://www.malwarology.com/2022/04/qakbot-series-api-hashing/", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/", "https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html", "https://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/", "https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/", "http://contagiodump.blogspot.com/2010/11/template.html", "https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.elastic.co/security-labs/qbot-malware-analysis", "https://www.youtube.com/watch?v=cmJpRncrAp0", "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/", "https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php", "https://www.youtube.com/watch?v=iB1psRMtlqg", "https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://www.malwarology.com/posts/2-qakbot-conf-extraction/", "https://www.elastic.co/de/security-labs/qbot-malware-analysis", "https://asec.ahnlab.com/en/44662/", "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/", "https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ", "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/", "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", "https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://securelist.com/qakbot-technical-analysis/103931/", "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", "https://www.elastic.co/security-labs/qbot-configuration-extractor", "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html", "https://zw01f.github.io/malware%20analysis/qakbot/", "https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html", "https://www.group-ib.com/blog/egregor", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://labs.k7computing.com/index.php/qakbot-returns/", "https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/", "https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/", "https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/", "https://www.group-ib.com/blog/prolock_evolution", "https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/", "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://twitter.com/tylabs/status/1462195377277476871", "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://isc.sans.edu/diary/rss/28448", "https://github.com/0xThiebaut/PCAPeek/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://www.justice.gov/d9/2023-08/23mj4251_application_redacted.pdf", "https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://securelist.com/cve-2024-30051/112618", "https://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/" ], "synonyms": [ "Oakboat", "Pinkslipbot", "Qbot", "Quakbot" ], "type": [] }, "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "value": "QakBot" }, { "description": "According to F-Secure, this is a network worm with backdoor capabilities, which spreads itself under Win32 systems. The worm was reported in-the-wild in July-August, 2000. The worm itself is a Win32 executable file and about 120K long, written in MS Visual C++.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" ], "synonyms": [ "Tolouge" ], "type": [] }, "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", "value": "QHost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" ], "synonyms": [ "qtproject" ], "type": [] }, "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", "value": "QtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://twitter.com/Arkbird_SOLG/status/1458973883068043264", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/" ], "synonyms": [], "type": [] }, "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", "value": "QuantLoader" }, { "description": "A stager used by APT29 to download and run CobaltStrike.\r\nHere, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig", "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77" ], "synonyms": [ "MUSKYBEAT", "STATICNOISE" ], "type": [] }, "uuid": "ef29604c-1fc8-4f3f-9342-dbb28bb1bd5b", "value": "QUARTERRIG" }, { "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://www.antiy.cn/research/notice&report/research_report/20201228.html", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.youtube.com/watch?v=yimh33nSOt8", "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://blog.morphisec.com/syk-crypter-discord", "https://asec.ahnlab.com/en/31089/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", "https://twitter.com/malwrhunterteam/status/789153556255342596", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", "https://embee-research.ghost.io/shodan-censys-queries/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.minerva-labs.com/trapping-quasar-rat", "https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html", "https://twitter.com/struppigel/status/1130455143504318466", "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934", "https://intel471.com/blog/privateloader-malware", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/", "https://www.cisa.gov/news-events/analysis-reports/ar18-352a", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", "https://embeeresearch.io/shodan-censys-queries/", "https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques", "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://github.com/jeFF0Falltrades/rat_king_parser", "https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://embee-research.ghost.io/hunting-quasar-rat-shodan", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://dfir.ch/posts/asyncrat_quasarrat/", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/", "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://blog.malwarelab.pl/posts/venom/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time", "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" ], "synonyms": [ "CinaRAT", "QuasarRAT", "Yggdrasil" ], "type": [] }, "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", "https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42" ], "synonyms": [], "type": [] }, "uuid": "8a4747a4-8165-40eb-abfe-fd674558ecb4", "value": "QuickHeal" }, { "description": "QuickMute is a malware developed using the C/C++ programming language. Functionally provides download, RC4 decryption, and in-memory launch of the payload (waiting for a PE file with the export function \"HttpsVictimMain\"). To communicate with the management server, a number of protocols are provided, in particular: TCP, UDP, HTTP, HTTPS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickmute", "https://cert.gov.ua/article/375404" ], "synonyms": [], "type": [] }, "uuid": "56d5ee92-845e-4b71-814c-2b0f0ca88523", "value": "QUICKMUTE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quietcanary", "https://securelist.com/it-threat-evolution-q2-2023/110355/", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" ], "synonyms": [ "Kapushka", "Tunnus" ], "type": [] }, "uuid": "2577fb8d-1511-49f7-9b62-7816137190c8", "value": "QUIETCANARY" }, { "description": "According to Microsoft, this is a heavily obfuscated .NET malware, primarily geared towards the exfiltration of data from the compromised host. But it can also receive and execute a remote payload from the operator.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quietsieve", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" ], "synonyms": [], "type": [] }, "uuid": "49aa0a57-812c-4344-9315-cd8c3220198e", "value": "QuietSieve" }, { "description": "QuiteRAT is a simple remote access trojan written with the help of Qt libraries.\r\n\r\nAfter sending preliminary system information to its C&C server, it expects a response containing either a supported command code or an actual Windows command (like systeminfo or ipconfig with parameters) to execute.\r\n\r\nIt was deployed in a campaign exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quiterat", "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf", "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", "https://blog.talosintelligence.com/lazarus-quiterat/", "https://asec.ahnlab.com/ko/56256/" ], "synonyms": [ "Acres" ], "type": [] }, "uuid": "03409fbe-c8ac-41f9-a89b-38dd9f7ef63d", "value": "QuiteRAT" }, { "description": "Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab", "https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/" ], "synonyms": [], "type": [] }, "uuid": "728ce877-6f1d-4719-81df-387a8e395695", "value": "Qulab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qvoidstealer", "https://github.com/Enum0x539/Qvoid-Token-Grabber" ], "synonyms": [ "Qvoid-Token-Grabber" ], "type": [] }, "uuid": "020950da-79e5-481b-9986-14ed1c97e04c", "value": "QvoidStealer" }, { "description": "According to the author, r77 is a ring 3 rootkit that hides everything: \r\n* Files, directories\r\n* Processes & CPU usage\r\n* Registry keys & values\r\n* Services\r\n* TCP & UDP connections\r\n* Junctions, named pipes, scheduled tasks", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.r77", "https://twitter.com/malmoeb/status/1523179260273254407", "https://github.com/bytecode77/r77-rootkit" ], "synonyms": [ "r77 Rootkit" ], "type": [] }, "uuid": "f577050b-a4a3-4ebd-a9d9-77300f3435f5", "value": "r77" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" ], "synonyms": [], "type": [] }, "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", "value": "r980" }, { "description": "Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view", "https://d01a.github.io/raccoon-stealer/", "https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/", "https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den", "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities", "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", "https://www.youtube.com/watch?v=1dbepxN2YD8", "https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/RaccoonStealer_V2.0/Raccon%20Stealer%20Technical%20Analysis%20Report.pdf", "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", "https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/", "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d", "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", "https://www.youtube.com/watch?v=kfl_2_NBVGc", "https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/", "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family", "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-recordbreaker-f6400c11d58b", "https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf", "https://cyberint.com/blog/financial-services/raccoon-stealer/", "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8", "https://ke-la.com/information-stealers-a-new-landscape/", "https://www.group-ib.com/blog/fakesecurity_raccoon", "https://www.youtube.com/watch?v=5KHZSmBeMps", "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", "https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/", "https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/", "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf", "https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/", "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/", "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/", "https://asec.ahnlab.com/en/35981/", "https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram", "https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949", "https://twitter.com/GroupIB_GIB/status/1570821174736850945", "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon", "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer", "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/", "https://asec.ahnlab.com/ko/25837/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/" ], "synonyms": [ "Mohazo", "RaccoonStealer", "Racealer", "Racoon" ], "type": [] }, "uuid": "027fb7d0-3e9b-4433-aee1-c266e165a5cc", "value": "Raccoon" }, { "description": "Racket Downloader is an HTTP(S) downloader.\r\n\r\nIt uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic. \r\n\r\nIt sends an HTTP POST request containing a particular value that inspired its name, like \"?product_field=racket\" or \"prd_fld=racket\".\r\n\r\nRacket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.racket", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://asec.ahnlab.com/ko/40495/", "https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12", "https://asec.ahnlab.com/en/33801/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical" ], "synonyms": [], "type": [] }, "uuid": "993db92e-0c84-4750-a58f-2b61d6cd6d67", "value": "Racket Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rad", "https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf" ], "synonyms": [], "type": [] }, "uuid": "f99e0c8b-a479-4902-9c7e-e16724323ef6", "value": "Rad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant" ], "synonyms": [], "type": [] }, "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", "value": "Radamant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" ], "synonyms": [], "type": [] }, "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", "value": "RadRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker", "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/", "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", "https://www.ic3.gov/Media/News/2022/220307.pdf", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://www.acronis.com/en-sg/articles/ragnar-locker/", "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information", "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", "http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html", "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://resources.prodaft.com/wazawaka-report", "https://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1", "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", "https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/", "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/" ], "synonyms": [], "type": [] }, "uuid": "33f55172-873b-409e-a09b-97ac1301b036", "value": "RagnarLocker (Windows)" }, { "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://www.tarlogic.com/blog/ragnarok-malware-stopper-vaccine/", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw" ], "synonyms": [], "type": [] }, "uuid": "ce9dffb7-2220-4e9c-9cb1-221195ba42ba", "value": "Ragnarok" }, { "description": "Raindrop is a loader for Cobalt Strike that was observed in the SolarWinds attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", "https://www.youtube.com/watch?v=GfbxHy6xnbA", "https://www.mandiant.com/resources/unc2452-merged-into-apt29" ], "synonyms": [], "type": [] }, "uuid": "309f9be7-8824-4452-90b3-cef81fd10099", "value": "Raindrop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/" ], "synonyms": [], "type": [] }, "uuid": "cf6887d9-3d68-4f89-9d61-e97dcc4d8c20", "value": "Rakhni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html", "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md" ], "synonyms": [ "brebsd" ], "type": [] }, "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", "value": "Rambo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" ], "synonyms": [], "type": [] }, "uuid": "51f53823-d289-4176-af45-3fca7eda824b", "value": "Ramdo" }, { "description": "According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.\r\n\r\nRamnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", "https://muha2xmad.github.io/unpacking/ramnit/", "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://informationsecurity.report/Resources/Whitepapers/b201d876-c5df-486d-975e-2dc08eb85f02_W32.Ramnit%20analysis.pdf", "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", "https://www.youtube.com/watch?v=l6ZunH6YG0A", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://artik.blue/malware4", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.youtube.com/watch?v=N4f2e8Mygag", "http://www.secureworks.com/research/threat-profiles/gold-fairfax", "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://research.checkpoint.com/ramnits-network-proxy-servers/", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", "https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/", "https://bin.re/blog/the-dga-of-ramnit/", "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [ "Nimnul" ], "type": [] }, "uuid": "542161c0-47a4-4297-baca-5ed98386d228", "value": "Ramnit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay", "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", "https://www.antiy.cn/research/notice&report/research_report/20200522.html", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://www.youtube.com/watch?v=SKIu4LqMrns", "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html" ], "synonyms": [], "type": [] }, "uuid": "3b5bb37b-c5be-45b6-a4b1-83a03605a926", "value": "Ramsay" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf", "https://bin.re/blog/the-dga-of-ranbyus/", "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", "https://bin.re/blog/ranbyuss-dga-revisited/" ], "synonyms": [], "type": [] }, "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", "value": "Ranbyus" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranion", "https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas" ], "synonyms": [], "type": [] }, "uuid": "2ae8b99c-cebe-4758-8ae9-8f336a7bef0d", "value": "Ranion" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", "http://blog.talosintel.com/2016/07/ranscam.html" ], "synonyms": [], "type": [] }, "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", "value": "Ranscam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" ], "synonyms": [], "type": [] }, "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", "value": "Ransoc" }, { "description": "RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", "https://www.sentinelone.com/anthology/ransomexx/", "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/", "https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.youtube.com/watch?v=qxPXxWMI2i4", "https://github.com/Bleeping/Ransom.exx", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx" ], "synonyms": [ "Defray777", "Ransom X" ], "type": [] }, "uuid": "ddb31693-2356-4345-9c0f-ab37724090a4", "value": "RansomEXX (Windows)" }, { "description": "Ransomware written in Golang and obfuscated with Gobfuscate, with significant code overlap to Knight ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomhub", "https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware" ], "synonyms": [], "type": [] }, "uuid": "5cd36ca4-ddf9-4abf-a7e4-b54a5d02c62a", "value": "RansomHub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2", "https://forum.malekal.com/viewtopic.php?t=36485&start=" ], "synonyms": [ "WinLock" ], "type": [] }, "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", "value": "Ransomlock" }, { "description": "Ransomware SNC is a ransomware who encrypts files and asks for a variable amount of Bitcoin before releasing the decryption key to your files. The threat actor asks to be contacted for negotiating the right ransom fee.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomware_snc", "https://yomi.yoroi.company/report/5deea91bac2ea1dcf5337ad8/5deead588a4518a7074dc6e6/overview" ], "synonyms": [], "type": [] }, "uuid": "0e9c2936-7167-48fb-9dee-a83f83d8e41e", "value": "SNC" }, { "description": "InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://twitter.com/malwrhunterteam/status/977275481765613569", "https://twitter.com/malwrhunterteam/status/997748495888076800" ], "synonyms": [], "type": [] }, "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", "value": "Rapid Ransom" }, { "description": "A spy trojan is a type of malware that has the capability to gather information from the infected system without consent from the user. This information is then sent to a remote attacker.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" ], "synonyms": [], "type": [] }, "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", "value": "RapidStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog", "https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/", "https://tracker.fumik0.com/malware/Rarog" ], "synonyms": [], "type": [] }, "uuid": "184e5134-473c-4a01-9a8b-f4776f178fc9", "value": "Rarog" }, { "description": "This ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [], "type": [] }, "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", "value": "rarstar" }, { "description": "Worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin", "https://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin", "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", "https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin", "https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe", "https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html", "https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks", "https://unit42.paloaltonetworks.com/unsigned-dlls/", "https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis", "https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/", "https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/", "https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/", "https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices", "https://redcanary.com/blog/raspberry-robin/", "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "synonyms": [ "LINK_MSIEXEC", "QNAP-Worm", "RaspberryRobin" ], "type": [] }, "uuid": "34b3a45b-e522-4342-91c8-b6aad9817f99", "value": "Raspberry Robin" }, { "description": "This is a backdoor that establishes persistence using the Startup folder. \r\nIt communicates to its C&C server using HTTPS and a static HTTP User-Agent \r\nstring. QUICKRIDE is capable of gathering information about the system, \r\ndownloading and loading executables, and uninstalling itself. It was leveraged \r\nagainst banks in Poland.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba", "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", "https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf", "https://content.fireeye.com/apt/rpt-apt38", "https://twitter.com/PhysicalDrive0/status/828915536268492800", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "QUICKRIDE" ], "type": [] }, "uuid": "eead20f5-6a30-4700-8d14-cfb2d42eaff0", "value": "Ratankba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos", "https://securelist.com/lazarus-under-the-hood/77908/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "http://blog.trex.re.kr/3" ], "synonyms": [ "RATANKBAPOS" ], "type": [] }, "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", "value": "RatankbaPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratel", "https://github.com/FrenchCisco/RATel", "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [], "type": [] }, "uuid": "56ac6980-4db4-4bac-8f8a-cebf5ead6308", "value": "RATel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratsnif", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html" ], "synonyms": [], "type": [] }, "uuid": "2f700b52-4379-4b53-894b-1823e34ae71d", "value": "RatSnif" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawdoor", "https://harfanglab.io/en/insidethelab/apt31-indictment-analysis/" ], "synonyms": [], "type": [] }, "uuid": "4dd64925-a899-42ed-ae79-49030cd6d419", "value": "RAWDOOR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", "https://www.youtube.com/watch?v=fevGZs0EQu8", "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite", "https://threatvector.cylance.com/en_us/home/rawpos-malware.html" ], "synonyms": [], "type": [] }, "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "value": "RawPOS" }, { "description": "Razy is a malware family which uses a malicious browser extension in order to steal cryptocurrency.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.razy", "https://securelist.com/razy-in-search-of-cryptocurrency/89485/" ], "synonyms": [], "type": [] }, "uuid": "6293085e-55c7-4026-8c98-1fa489692d4e", "value": "Razy" }, { "description": "A family identified by ESET Research in the InvisiMole campaign.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [], "type": [] }, "uuid": "165f385f-8507-4cd3-9afd-911a016b2d29", "value": "RC2FM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/", "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf", "https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html" ], "synonyms": [ "Crisis", "Remote Control System" ], "type": [] }, "uuid": "c359c74e-4155-4e66-a344-b56947f75119", "value": "RCS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" ], "synonyms": [], "type": [] }, "uuid": "40eff712-4812-4b8a-872d-7c9f4b7a8d72", "value": "RCtrl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", "value": "rdasrv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf" ], "synonyms": [ "GREYSTUFF" ], "type": [] }, "uuid": "69798a1e-1caf-4bc8-b4af-6508d8a26717", "value": "RDAT" }, { "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" ], "synonyms": [], "type": [] }, "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", "value": "ReactorBot" }, { "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" ], "synonyms": [], "type": [] }, "uuid": "826c31ca-2617-47e4-b236-205da3881182", "value": "Reaver" }, { "description": "This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker", "https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/", "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/", "https://d01a.github.io/raccoon-stealer/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware", "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family", "https://asec.ahnlab.com/en/52072/", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-recordbreaker-f6400c11d58b", "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8", "https://www.youtube.com/watch?v=NI_Yw2t9zoo", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/", "https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/" ], "synonyms": [], "type": [] }, "uuid": "812fbee2-6f12-4dca-a205-d317fb9065bb", "value": "RecordBreaker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", "https://www.recordedfuture.com/redalpha-cyber-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, { "description": "According to Trend Micro, this backdoor receives valid domain credentials as an argument and uses it to log on to the Exchange Server and use it for data exfiltration purposes. The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcap", "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html" ], "synonyms": [], "type": [] }, "uuid": "c1ba2ad1-70d9-4833-ac15-18fb8d0a2408", "value": "RedCap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcurl", "https://go.group-ib.com/report-redcurl-en?_gl=1*t8hou9*_ga*MTY4NTg1NzA4Ny4xNzA4MDk1MjMx*_ga_QMES53K3Y2*MTcwODA5NTIzMC4xLjEuMTcwODA5NjAyNy45LjAuMA..", "https://go.group-ib.com/report-redcurl-awakening-en", "https://bi.zone/eng/expertise/blog/red-wolf-vnov-shpionit-za-kommercheskimi-organizatsiyami/" ], "synonyms": [], "type": [] }, "uuid": "913d3007-9c2b-4c1c-b3a6-2ecb736bc338", "value": "RedCurl" }, { "description": "According to Zscaler ThreatLabz, RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redenergy_stealer", "https://www.zscaler.com/blogs/security-research/ransomware-redefined-redenergy-stealer-ransomware-attacks" ], "synonyms": [], "type": [] }, "uuid": "b5cbe5c8-8cda-43af-bd67-99dcbd9e0dbf", "value": "RedEnergy Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html", "https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware", "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/", "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "http://blog.macnica.net/blog/2017/12/post-8c22.html", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-117A" ], "synonyms": [ "BUGJUICE" ], "type": [] }, "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", "value": "RedLeaves" }, { "description": "RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/", "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/", "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://ke-la.com/information-stealers-a-new-landscape/", "https://www.youtube.com/watch?v=05-1Olqf6qw", "https://blog.morphisec.com/syk-crypter-discord", "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/", "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", "https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html", "https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://securityscorecard.com/research/detailed-analysis-redline-stealer", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html", "https://blog.avast.com/adobe-acrobat-sign-malware", "https://web.archive.org/web/20230606224056/https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152", "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack", "https://cyber-anubis.github.io/malware%20analysis/redline/", "https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/", "https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html", "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://unit42.paloaltonetworks.com/lapsus-group/", "https://muha2xmad.github.io/malware-analysis/fullredline/", "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html", "https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/", "https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf", "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html", "https://www.youtube.com/watch?v=NI_Yw2t9zoo", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://asec.ahnlab.com/en/30445/", "https://intel471.com/blog/privateloader-malware", "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://embee-research.ghost.io/identifying-risepro-panels-using-censys/", "https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/", "https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/", "https://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail", "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/", "https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://blog.netlab.360.com/purecrypter", "https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://fourcore.io/blogs/threat-hunting-browser-credential-stealing", "https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware", "https://embeeresearch.io/redline-stealer-basic-static-analysis-and-c2-extraction/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/", "https://securityscorecard.pathfactory.com/all/a-detailed-analysis", "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", "https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/", "https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download", "https://dr4k0nia.github.io/posts/Unpacking-RedLine-Stealer/", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://russianpanda.com/2023/11/20/MetaStealer-Redline's-Doppelganger/", "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", "https://asec.ahnlab.com/ko/25837/", "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882", "https://research.checkpoint.com/2024/stargazers-ghost-network/", "https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer", "https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software", "https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152", "https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/", "https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/", "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", "https://www.secureworks.com/research/darktortilla-malware-analysis", "https://unit42.paloaltonetworks.com/bluesky-ransomware/", "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/", "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", "https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf", "https://securelist.com/malvertising-through-search-engines/108996/", "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193", "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two", "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", "https://asec.ahnlab.com/en/35981/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/", "https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer", "https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/" ], "synonyms": [ "RECORDSTEALER" ], "type": [] }, "uuid": "ff18a858-7778-485c-949b-d28d867d1ffb", "value": "RedLine Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redosdru", "https://securitynews.sonicwall.com/xmlpost/redosdru-v-malware-that-hides-in-encrypted-dll-files-to-avoid-detection-by-firewalls-may-112016/" ], "synonyms": [], "type": [] }, "uuid": "eb7a5417-ebbe-42c9-834b-2412a7e338f1", "value": "Redosdru" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper", "https://twitter.com/ItsReallyNick/status/1136502701301346305" ], "synonyms": [ "Adupib" ], "type": [] }, "uuid": "42fc1cf4-23ee-47a6-bdd3-7dc824948ba7", "value": "REDPEPPER" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redrum", "https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html" ], "synonyms": [ "Grinch", "Thanos", "Tycoon" ], "type": [] }, "uuid": "cbb4cfd8-3642-4b04-a199-8e9b4b80fb62", "value": "RedRum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt", "https://twitter.com/ItsReallyNick/status/1136502701301346305", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf" ], "synonyms": [ "Dipsind" ], "type": [] }, "uuid": "da2210c7-c953-4367-9f4b-778e77af7ce7", "value": "REDSALT" }, { "description": "REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", "https://content.fireeye.com/apt/rpt-apt38", "https://securelist.com/lazarus-under-the-hood/77908/", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" ], "synonyms": [], "type": [] }, "uuid": "799cce43-6ba0-4e21-9a63-f8b7f9bb7cc4", "value": "REDSHAWL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms", "https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/" ], "synonyms": [], "type": [] }, "uuid": "36893c2a-28ad-4dd3-a66b-906f1dd15b92", "value": "Redyms" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", "https://twitter.com/JaromirHorejsi/status/816237293073797121" ], "synonyms": [], "type": [] }, "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", "value": "Red Alert" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" ], "synonyms": [], "type": [] }, "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", "value": "Red Gambler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", "https://cert.gov.ua/article/6278706", "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF", "https://www.secureworks.com/research/samsam-ransomware-campaigns", "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", "https://www.welivesecurity.com/2022/09/06/worok-big-picture/", "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://blog.talosintelligence.com/new-zardoor-backdoor/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf", "https://sensepost.com/discover/tools/reGeorg/", "https://github.com/sensepost/reGeorg", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/" ], "synonyms": [], "type": [] }, "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", "value": "reGeorg" }, { "description": "Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://www.youtube.com/watch?v=jeLd-gw2bWo", "https://www.epicturla.com/previous-works/hitb2020-voltron-sta", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/", "https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/" ], "synonyms": [], "type": [] }, "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", "value": "Regin" }, { "description": "According to PCrisk, RegretLocker is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the \".mouse\" extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker", "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/", "https://twitter.com/malwrhunterteam/status/1321375502179905536", "https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/" ], "synonyms": [], "type": [] }, "uuid": "f89df0d5-2d01-49a2-a2d0-71cdc6a9d64e", "value": "RegretLocker" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekensom", "https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html" ], "synonyms": [ "GHack Ransomware" ], "type": [] }, "uuid": "b59a97df-04c5-4e54-a7aa-92452baa7240", "value": "RekenSom" }, { "description": "A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew", "https://www.mandiant.com/resources/fin13-cybercriminal-mexico", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" ], "synonyms": [ "tinyshell.win", "tshd.win" ], "type": [] }, "uuid": "e928d9ca-237f-48ab-ab4c-65c04baeb863", "value": "win.rekoobe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rektloader", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html" ], "synonyms": [], "type": [] }, "uuid": "431808a0-3671-4072-a9af-9947a54b4b9d", "value": "Rekt Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rektware", "https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html" ], "synonyms": [ "PRZT Ransomware" ], "type": [] }, "uuid": "b40a66c6-c8fa-43c3-8084-87e90f00a8f1", "value": "Rektware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.relic_race", "https://cert.gov.ua/article/955924" ], "synonyms": [], "type": [] }, "uuid": "9bc81527-97fe-4dd6-87e6-d8ae75e58818", "value": "RelicRace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom", "http://www.secureworks.com/research/threat-profiles/gold-franklin", "https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef", "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/" ], "synonyms": [ "RemoteCommandExecution" ], "type": [] }, "uuid": "135ce3db-a242-4f81-844a-cf03eb72c291", "value": "RemCom" }, { "description": "Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.\r\n\r\nRemcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.\r\nRemcos, once installed, opens a backdoor on the computer, granting full access to the remote user.\r\nRemcos is developed by the cybersecurity company BreakingSecurity.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/", "https://perception-point.io/behind-the-attack-remcos-rat/", "https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat", "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/", "https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/", "https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://infosecwriteups.com/unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1", "https://www.telsy.com/download/4832/", "https://www.esentire.com/blog/remcos-rat", "https://dissectingmalwa.re/malicious-ratatouille.html", "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/", "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", "https://asec.ahnlab.com/ko/32101/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four", "https://cert.gov.ua/article/3931296", "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.youtube.com/watch?v=DIH4SvKuktM", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly", "https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html", "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html", "https://muha2xmad.github.io/mal-document/remcosdoc/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5", "https://asec.ahnlab.com/en/32376/", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf", "https://intel471.com/blog/privateloader-malware", "https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD", "https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-three", "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses", "https://blog.morphisec.com/nft-malware-new-evasion-abilities", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", "https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/", "https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/", "https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain", "https://www.jaiminton.com/reverse-engineering/remcos#", "https://gi7w0rm.medium.com/cloudeye-from-lnk-to-shellcode-4b5f1d6d877", "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/", "https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method", "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/", "https://cert.gov.ua/article/3804703", "https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://cert.gov.ua/article/6276652", "https://www.connectwise.com/resources/formbook-remcos-rat", "https://muha2xmad.github.io/unpacking/remcos/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/", "https://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two", "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://asec.ahnlab.com/ko/25837/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://secrary.com/ReversingMalware/RemcosRAT/", "https://www.loginsoft.com/post/blue-screen-mayhem-when-crowdstrikes-glitch-became-threat-actors-playground", "https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/", "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html", "http://malware-traffic-analysis.net/2017/12/22/index.html", "https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/", "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://embeeresearch.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/", "https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://embee-research.ghost.io/practical-queries-for-malware-infrastructure-part-3/" ], "synonyms": [ "RemcosRAT", "Remvio", "Socmer" ], "type": [] }, "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", "value": "Remcos" }, { "description": "Remexi is a highly advanced and stealthy malware discovered in recent times. It employs sophisticated evasion techniques to infiltrate target systems and networks undetected. This malware utilizes various propagation vectors, including exploit kits, social engineering tactics, and compromised websites. Once inside a system, Remexi establishes persistence through rootkit capabilities and leverages coAmmand-and-control infrastructure to receive and execute malicious commands. It possesses keylogging and data exfiltration capabilities, enabling it to steal sensitive information such as login credentials and financial data. Additionally, Remexi can download and execute additional payloads, making it adaptable and capable of evolving its malicious activities over time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", "https://securelist.com/chafer-used-remexi-malware/89538/", "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", "https://twitter.com/QW5kcmV3/status/1095833216605401088", "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" ], "synonyms": [ "CACHEMONEY" ], "type": [] }, "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", "value": "Remexi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remoteadmin", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=hacktool:win32/remoteadmin&ThreatID=2147731874" ], "synonyms": [], "type": [] }, "uuid": "6730a859-f2b9-48f9-8d2b-22944a79c072", "value": "RemoteAdmin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remotecontrolclient", "https://github.com/frozleaf/RemoteControl" ], "synonyms": [ "remotecontrolclient" ], "type": [] }, "uuid": "44aae79d-c2f5-47f6-99c1-540c0c5420db", "value": "RemoteControl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf", "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html" ], "synonyms": [], "type": [] }, "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", "value": "Remsec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy", "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], "synonyms": [ "WINDSHIELD" ], "type": [] }, "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", "value": "Remy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" ], "synonyms": [], "type": [] }, "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", "value": "Rerdom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reshell", "https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html", "https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/" ], "synonyms": [], "type": [] }, "uuid": "37333fe3-0b6a-4b3b-9f2f-90d29ee5419a", "value": "Reshell" }, { "description": "According to Cisco Talos, Resident is a backdoor likely developed by the same author as win.warmcookie, and it was observed being delivered in intrusions they attribute to TA866. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.resident", "https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign" ], "synonyms": [], "type": [] }, "uuid": "91435d91-0985-483b-bffb-9762b9cb0287", "value": "Resident" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/", "https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/" ], "synonyms": [], "type": [] }, "uuid": "42fa55e3-e708-4c11-b807-f31573639941", "value": "Retadup" }, { "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", "https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", "https://github.com/cocaman/retefe", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://github.com/Tomasuh/retefe-unpacker", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://www.govcert.admin.ch/blog/35/reversing-retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga" ], "synonyms": [ "Tsukuba", "Werdlod" ], "type": [] }, "uuid": "96bf1b6d-28e1-4dd9-aabe-23050138bc39", "value": "Retefe (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/" ], "synonyms": [], "type": [] }, "uuid": "a4dc538e-09b7-4dba-99b0-e8b8b70dd42a", "value": "Retro" }, { "description": "According to its author, Revenant is a 3rd party agent for Havoc written in C, and based on Talon. This implant is meant to expand on the Talon implant by implementing covert methods of execution, robust capabilities, and more customization.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant", "https://github.com/0xTriboulet/Revenant" ], "synonyms": [], "type": [] }, "uuid": "c95db5a7-8405-4931-868f-1a33ea7e8f6b", "value": "Revenant" }, { "description": "According to Cofense, Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md", "https://blogs.360.cn/post/APT-C-44.html", "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", "https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", "https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/", "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://isc.sans.edu/diary/rss/22590", "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://embee-research.ghost.io/introduction-to-dotnet-configuration-extraction-revengerat/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blog.reversinglabs.com/blog/dotnet-loaders", "https://securelist.com/revengehotels/95229/", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america" ], "synonyms": [ "Revetrat" ], "type": [] }, "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", "value": "Revenge RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reverse_rat", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/", "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/", "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", "https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/" ], "synonyms": [], "type": [] }, "uuid": "c3b6a9f9-afef-4249-ab59-afc5b2efc0b3", "value": "ReverseRAT" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reveton", "https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/" ], "synonyms": [], "type": [] }, "uuid": "48c10822-9af8-4324-9516-b33ecf975590", "value": "Reveton" }, { "description": "REvil Beta\r\nMD5: bed6fc04aeb785815744706239a1f243\r\nSHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf\r\nSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45\r\n* Privilege escalation via CVE-2018-8453 (64-bit only)\r\n* Rerun with RunAs to elevate privileges\r\n* Implements a requirement that if \"exp\" is set, privilege escalation must be successful for full execution to occur\r\n* Implements target whitelisting using GetKetboardLayoutList\r\n* Contains debug console logging functionality\r\n* Defines the REvil registry root key as SOFTWARE\\!test\r\n* Includes two variable placeholders in the ransom note: UID & KEY\r\n* Terminates processes specified in the \"prc\" configuration key prior to encryption\r\n* Deletes shadow copies and disables recovery\r\n* Wipes contents of folders specified in the \"wfld\" configuration key prior to encryption\r\n* Encrypts all non-whitelisted files on fixed drives\r\n* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe\r\n* Partially implements a background image setting to display a basic \"Image text\" message\r\n* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)\r\n------------------------------------\r\nREvil 1.00\r\nMD5: 65aa793c000762174b2f86077bdafaea\r\nSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457\r\nSHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc\r\n* Adds 32-bit implementation of CVE-2018-8453 exploit\r\n* Removes console debug logging\r\n* Changes the REvil registry root key to SOFTWARE\\recfg\r\n* Removes the System/Impersonation success requirement for encrypting network mapped drives\r\n* Adds a \"wipe\" key to the configuration for optional folder wiping\r\n* Fully implements the background image setting and leverages values defined in the \"img\" configuration key\r\n* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT\r\n* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL\r\n* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data\r\n------------------------------------\r\nREvil 1.01\r\nMD5: 2abff29b4d87f30f011874b6e98959e9\r\nSHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c\r\nSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb\r\n* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level\r\n* Makes encryption of network mapped drives optional by adding the \"-nolan\" argument\r\n------------------------------------\r\nREvil 1.02\r\nMD5: 4af953b20f3a1f165e7cf31d6156c035\r\nSHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299\r\nSHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4\r\n* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage\r\n* Partially implements \"lock file\" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)\r\n* Enhances folder whitelisting logic that take special considerations if the folder is associated with \"program files\" directories\r\n* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories\r\n* Hard-codes whitelisting of \"sql\" subfolders within program files\r\n* Encrypts program files sub-folders that does not contain \"sql\" in the path\r\n* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted\r\n* Encodes stored strings used for URI building within the binary and decodes them in memory right before use\r\n* Introduces a REvil registry root key \"sub_key\" registry value containing the attacker's public key\r\n------------------------------------\r\nREvil 1.03\r\nMD5: 3cae02306a95564b1fff4ea45a7dfc00\r\nSHA1: 0ce2cae5287a64138d273007b34933362901783d\r\nSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf\r\n* Removes lock file logic that was partially implemented in 1.02\r\n* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)\r\n* Encodes stored shellcode\r\n* Adds the -path argument:\r\n* Does not wipe folders (even if wipe == true)\r\n* Does not set desktop background\r\n* Does not contact the C2 server (even if net == true)\r\n* Encrypts files in the specified folder and drops the ransom note\r\n* Changes the REvil registry root key to SOFTWARE\\QtProject\\OrganizationDefaults\r\n* Changes registry key values from --> to:\r\n * sub_key --> pvg\r\n * pk_key --> sxsP\r\n * sk_key --> BDDC8\r\n * 0_key --> f7gVD7\r\n * rnd_ext --> Xu7Nnkd\r\n * stat --> sMMnxpgk\r\n------------------------------------\r\nREvil 1.04\r\nMD5: 6e3efb83299d800edf1624ecbc0665e7\r\nSHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d\r\nSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6\r\n* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)\r\n* Removes the folder wipe capability\r\n* Changes the REvil registry root key to SOFTWARE\\GitForWindows\r\n* Changes registry key values from --> to:\r\n * pvg --> QPM\r\n * sxsP --> cMtS\r\n * BDDC8 --> WGg7j\r\n * f7gVD7 --> zbhs8h\r\n * Xu7Nnkd --> H85TP10\r\n * sMMnxpgk --> GCZg2PXD\r\n------------------------------------\r\nREvil v1.05\r\nMD5: cfefcc2edc5c54c74b76e7d1d29e69b2\r\nSHA1: 7423c57db390def08154b77e2b5e043d92d320c7\r\nSHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea\r\n* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.\r\n* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :\r\n * SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\lNOWZyAWVv\r\n* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.\r\n* Changes registry key values from --> to:\r\n * QPM --> tgE\r\n * cMtS --> 8K09\r\n * WGg7j --> xMtNc\r\n * zbhs8h --> CTgE4a\r\n * H85TP10 --> oE5bZg0\r\n * GCZg2PXD --> DC408Qp4\r\n------------------------------------\r\nREvil v1.06\r\nMD5: 65ff37973426c09b9ff95f354e62959e\r\nSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e\r\nSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e\r\n* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.\r\n* Modified handling of network file encryption. Now explicitly passes every possible \"Scope\" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type\" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.\r\n* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'\r\n* Changes registry key values from --> to:\r\n * tgE --> 73g\r\n * 8K09 --> vTGj\r\n * xMtNc --> Q7PZe\r\n * CTgE4a --> BuCrIp\r\n * oE5bZg0 --> lcZd7OY\r\n * DC408Qp4 --> sLF86MWC\r\n------------------------------------\r\nREvil v1.07\r\nMD5: ea4cae3d6d8150215a4d90593a4c30f2\r\nSHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e\r\nSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3\r\nTBD", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil", "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/", "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", "https://isc.sans.edu/diary/27012", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", "https://home.treasury.gov/news/press-releases/jy0471", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/", "https://asec.ahnlab.com/ko/19860/", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html", "https://www.connectwise.com/resources/revil-profile", "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/", "https://www.flashpoint-intel.com/blog/revil-disappears-again/", "https://www.kaseya.com/potential-attack-on-kaseya-vsa/", "https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422", "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2", "https://www.secureworks.com/research/lv-ransomware", "https://threatpost.com/ransomware-revil-sites-disappears/167745/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/", "https://blog.group-ib.com/REvil_RaaS", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/", "https://www.bbc.com/news/technology-59297187", "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", "https://ke-la.com/will-the-revils-story-finally-be-over/", "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf", "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics", "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20", "https://twitter.com/svch0st/status/1411537562380816384", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/", "https://www.netskope.com/blog/netskope-threat-coverage-revil", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", "https://twitter.com/SophosLabs/status/1413616952313004040?s=20", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://hatching.io/blog/ransomware-part2", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://twitter.com/fwosar/status/1411281334870368260", "https://www.grahamcluley.com/travelex-paid-ransom/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html", "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident", "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter", "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", "https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/", "https://blog.amossys.fr/sodinokibi-malware-analysis.html", "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "http://www.secureworks.com/research/threat-profiles/gold-southfield", "https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html", "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up", "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html", "https://community.riskiq.com/article/3315064b", "https://www.certego.net/en/news/malware-tales-sodinokibi/", "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/", "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/", "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html", "https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload", "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", "https://securelist.com/ransomware-world-in-2021/102169/", "https://www.kpn.com/security-blogs/Tracking-REvil.htm", "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process", "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html", "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://unit42.paloaltonetworks.com/prometheus-ransomware/", "https://velzart.nl/blog/ransomeware/", "https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://securelist.com/sodin-ransomware/91473/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://twitter.com/SyscallE/status/1411074271875670022", "https://twitter.com/SophosLabs/status/1412056467201462276", "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", "https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/", "https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view", "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/", "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", "https://twitter.com/LloydLabs/status/1411098844209819648", "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit", "https://redcanary.com/blog/uncompromised-kaseya/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", "https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.youtube.com/watch?v=tZVFMVm5GAk", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses", "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", "https://twitter.com/R3MRUM/status/1412064882623713283", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", "https://www.youtube.com/watch?v=P8o6GItci5w", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions", "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/", "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", "https://twitter.com/VK_Intel/status/1411066870350942213", "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/", "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://unit42.paloaltonetworks.com/revil-threat-actors/", "https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf", "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://twitter.com/resecurity_com/status/1412662343796813827", "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", "https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged", "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/", "https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://vimeo.com/449849549", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/", "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", "https://twitter.com/VK_Intel/status/1374571480370061312?s=20", "https://twitter.com/_alex_il_/status/1412403420217159694", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt", "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.youtube.com/watch?v=l2P5CMH9TE0", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.ironnet.com/blog/ransomware-graphic-blog", "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/", "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", "https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801", "https://twitter.com/fwosar/status/1420119812815138824", "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", "https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40", "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", "https://twitter.com/Jacob_Pimental/status/1391055792774729728", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/", "https://asec.ahnlab.com/ko/19640/", "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://www.secureworks.com/research/threat-profiles/gold-southfield", "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/", "https://www.cyjax.com/2021/07/09/revilevolution/", "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html", "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/", "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/", "https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.youtube.com/watch?v=QYQQUUpU04s", "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", "https://analyst1.com/file-assets/History-of-REvil.pdf" ], "synonyms": [ "Sodin", "Sodinokibi" ], "type": [] }, "uuid": "e7698597-e0a9-4f4b-9920-09f5db225bd4", "value": "REvil (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/", "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf" ], "synonyms": [], "type": [] }, "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, { "description": "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.\r\n\r\nAt the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys", "https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm", "https://www.malware-traffic-analysis.net/2023/01/03/index.html", "https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques", "https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://research.checkpoint.com/2024/stargazers-ghost-network/", "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web", "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://outpost24.com/blog/rhadamanthys-malware-analysis/", "https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/", "https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/", "https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/", "https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer", "https://go.recordedfuture.com/hubfs/reports/mtp-2024-0926.pdf", "https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", "https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign", "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88" ], "synonyms": [], "type": [] }, "uuid": "50d322d7-c7e0-4d9b-9996-e5767caa8f1c", "value": "Rhadamanthys" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino", "https://www.vmray.com/cyber-security-blog/rhino-ransomware-malware-analysis-spotlight/" ], "synonyms": [], "type": [] }, "uuid": "cff6ec82-9d14-4307-9b5b-c0bd17e62f2a", "value": "Rhino" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" ], "synonyms": [], "type": [] }, "uuid": "5f1bac43-6506-43f0-b5d6-709a39abd671", "value": "RHttpCtrl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida", "https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/", "https://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/", "https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2", "https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf", "https://www.helpnetsecurity.com/2024/02/12/rhysida-ransomware-decryptor/", "https://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/", "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://www.linkedin.com/posts/prodaft_organic-relationship-between-rhysida-vice-activity-7091777236663427072-NQEs", "https://www.secplicity.org/2023/05/23/scratching-the-surface-of-rhysida-ransomware/", "https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation", "https://www.shadowstackre.com/analysis/rhysida", "https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", "https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware", "https://blog.talosintelligence.com/rhysida-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "a7d77891-afc2-4be6-b831-a3b2253fb195", "value": "Rhysida (Windows)" }, { "description": "Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/", "https://blog.avast.com/rietspoof-malware-increases-activity", "https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/" ], "synonyms": [], "type": [] }, "uuid": "ec67123a-c3bc-4f46-b9f3-569c19e224ca", "value": "Rietspoof" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://mega.nz/file/lkh1gY5C#93FUlwTwl0y27cfM0jtm4SYnWbtk06d0qoDg1e4eQ6s", "http://www.issuemakerslab.com/research3/", "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" ], "synonyms": [], "type": [] }, "uuid": "2639b71e-1bf1-4cd2-8fa2-9498e893ef3f", "value": "Rifdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", "value": "Rikamanu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf" ], "synonyms": [], "type": [] }, "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", "value": "Rincux" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", "value": "Ripper ATM" }, { "description": "RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro", "https://embee-research.ghost.io/identifying-risepro-panels-using-censys/", "https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/", "https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service", "https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://research.checkpoint.com/2024/stargazers-ghost-network/", "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://www.linkedin.com/posts/threatmon_risepro-stealer-malware-analysis-report-ugcPost-7180497665137221633-aUGL?utm_source=share&utm_medium=member_desktop", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf" ], "synonyms": [], "type": [] }, "uuid": "20ba0ede-454c-461d-a0e1-c053a838faa2", "value": "RisePro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "148a7078-3a38-4974-8990-9d5881f8267b", "value": "Rising Sun" }, { "description": "Created from the codebase of Gozi/ISFB.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3", "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", "https://twitter.com/URSNIFleak" ], "synonyms": [], "type": [] }, "uuid": "dec5b601-16b5-439a-8b2a-4ebc7ec31de5", "value": "RM3" }, { "description": "CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/", "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf", "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf" ], "synonyms": [ "Gussdoor", "Remote Manipulator System", "RuRAT" ], "type": [] }, "uuid": "94339b04-9332-4691-b820-5021368f1d3a", "value": "RMS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roadsweep", "https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?e=48754805&hl=en" ], "synonyms": [], "type": [] }, "uuid": "4dee0861-e19d-42ee-a68e-c08c39146407", "value": "ROADSWEEP" }, { "description": "According to SOCRadar, this is a batch script that uses WinRAR to delete files with target file extensions from a disk.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roar_bat", "https://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/", "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" ], "synonyms": [], "type": [] }, "uuid": "7ef66505-9b5b-4a80-af64-b51dc7a006ba", "value": "RoarBAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood", "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/", "https://twitter.com/VK_Intel/status/1121440931759128576", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://goggleheadedhacker.com/blog/post/12", "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", "https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/", "https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/", "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/" ], "synonyms": [ "RobbinHood" ], "type": [] }, "uuid": "6f3469f6-7a56-4ba3-a340-f10746390226", "value": "RobinHood" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock" ], "synonyms": [ "yellowalbatross" ], "type": [] }, "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", "value": "rock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" ], "synonyms": [], "type": [] }, "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", "value": "Rockloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" ], "synonyms": [], "type": [] }, "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", "value": "Rofin" }, { "description": "A .NET variant of ps1.roguerobin", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] }, "uuid": "25b08d2e-f803-4520-9518-4d95ce9f6ed4", "value": "RogueRobinNET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", "value": "Rokku" }, { "description": "It is a backdoor commonly distributed as an encoded\r\nbinary file downloaded and decrypted by shellcode following the\r\nexploitation of weaponized documents. DOGCALL is capable of\r\ncapturing screenshots, logging keystrokes, evading analysis with\r\nanti-virtual machine detections, and leveraging cloud storage APIs\r\nsuch as Cloud, Box, Dropbox, and Yandex.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf", "https://www.0x0v1.com/rearchive-rokrat-hwp/", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://asec.ahnlab.com/en/51751/", "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab", "https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247496455&idx=1&sn=0e3af7d734671a41c9d796e7f33b085d&chksm=f9ed9fb8ce9a16ae8e9714f116e0812994e0e3d13eb75d05182e623372fc5b979d70cf403f39&scene=178&cur_album_id=1375769135073951745", "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/", "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", "https://asec.ahnlab.com/en/65076/", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://twitter.com/ESETresearch/status/1575103839115804672", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/", "https://www.ibm.com/downloads/cas/Z81AVOY7", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://threatmon.io/reverse-engineering-rokrat-a-closer-look-at-apt37s-onedrive-based-attack-vector/", "http://v3lo.tistory.com/24", "https://unit42.paloaltonetworks.com/atoms/moldypisces/", "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.youtube.com/watch?v=uoBQE5s2ba4" ], "synonyms": [ "DOGCALL" ], "type": [] }, "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", "value": "RokRAT" }, { "description": "ROLLCOAST is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rollcoast", "https://www.mandiant.com/resources/sabbath-ransomware-affiliate" ], "synonyms": [ "Arcane", "S4bb47h", "Sabbath" ], "type": [] }, "uuid": "a3178bd5-719b-4065-9a55-d13bb34e5c14", "value": "ROLLCOAST" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roll_sling", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "40a0d770-21bd-4561-aba0-bfe000bc18b0", "value": "RollSling" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", "http://blogs.cisco.com/security/talos/rombertik" ], "synonyms": [ "CarbonGrabber" ], "type": [] }, "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", "value": "Rombertik" }, { "description": "Unit 42 observed threat actor Tropical Scorpius using this RAT in operations where also Cuba ransomware was deployed.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat", "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/", "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/", "https://cert.gov.ua/article/3349703", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/", "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass", "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/", "https://blog.talosintelligence.com/uat-5647-romcom/", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries", "https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/", "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit" ], "synonyms": [ "PEAPOD", "SingleCamper", "SnipBot" ], "type": [] }, "uuid": "5f1c11d3-c6ac-4368-a801-cced88a9d93b", "value": "ROMCOM RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" ], "synonyms": [], "type": [] }, "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", "value": "Romeo(Alfa,Bravo, ...)" }, { "description": "According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note (\"HowToRestoreYourFiles.txt\"). Rook renames files by appending the \".Rook\" extension. For example, it renames \"1.jpg\" to \"1.jpg.Rook\", \"2.jpg\" to \"2.jpg.Rook\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/", "https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/", "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md", "https://seguranca-informatica.pt/rook-ransomware-analysis/" ], "synonyms": [], "type": [] }, "uuid": "5df87e9b-4fd1-4f48-92d7-416b7d83313f", "value": "Rook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" ], "synonyms": [], "type": [] }, "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", "value": "Roopirs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopy", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [], "type": [] }, "uuid": "68050d50-eece-43ba-8668-0825eab940f0", "value": "Roopy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rorschach", "https://www.group-ib.com/blog/bablock-ransomware/", "https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/", "https://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75", "https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/d/an-analysis-of-the-bablock-ransomware-/iocs-an-analysis-of-the-babLock-ransomware.txt" ], "synonyms": [ "BabLock" ], "type": [] }, "uuid": "86c3434c-ca86-4109-b0fc-61d14d59505c", "value": "Rorschach Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" ], "synonyms": [ "PisLoader" ], "type": [] }, "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", "value": "Roseam" }, { "description": "A DLL backdoor distributed by Raspberry Robin. According to Avast Decoded, Roshtyak belongs to one of the best-protected malware strains they have ever seen.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roshtyak", "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://unit42.paloaltonetworks.com/unsigned-dlls/", "https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" ], "synonyms": [], "type": [] }, "uuid": "398316b7-3ccd-445e-ab10-4428f165649f", "value": "Roshtyak" }, { "description": "Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt", "https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/", "https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html" ], "synonyms": [ "RotoCrypt", "Rotor" ], "type": [] }, "uuid": "f20ef9a8-6ffc-4ef2-98ba-44f6b2eab966", "value": "RotorCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", "value": "Rover" }, { "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", "https://securelist.com/oh-what-a-boot-iful-mornin/97365", "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/" ], "synonyms": [ "BkLoader", "Cidox", "Mayachok" ], "type": [] }, "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", "value": "Rovnix" }, { "description": "RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", "value": "RoyalCli" }, { "description": "RoyalDNS is a DNS based backdoor used by APT15 that persistences on a system through a service called 'Nwsapagent'.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", "value": "Royal DNS" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom", "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a", "https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware", "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", "https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/", "https://www.cyber.gov.au/acsc/view-all-content/advisories/2023-01-acsc-ransomware-profile-royal", "https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html", "https://www.cybereason.com/blog/royal-ransomware-analysis", "https://socradar.io/dark-web-profile-royal-ransomware/", "https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/", "https://www.cyber.gov.au/about-us/advisories/2023-01-acsc-ransomware-profile-royal", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware", "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://unit42.paloaltonetworks.com/royal-ransomware/", "https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html", "https://www.coalitioninc.com/blog/active-exploitation-firewalls", "https://securityscorecard.pathfactory.com/research/the-royal-ransomware", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive", "https://www.bridewell.com/insights/news/detail/hunting-for-ursnif", "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/", "https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html" ], "synonyms": [], "type": [] }, "uuid": "df1baad8-e4b6-4507-964c-6e9a8dd5252c", "value": "Royal Ransom (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", "https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor", "https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/", "https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors", "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" ], "synonyms": [], "type": [] }, "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", "value": "Rozena" }, { "description": "RTM Banker also known as Redaman was first blogged about in February 2017 by ESET. The malware is written in Delphi and shows some similarities (like process list) with Buhtrap. It uses a slightly modified version of RC4 to encrypt its strings, network data, configuration and modules, according to ESET.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", "https://jonahacks.medium.com/malware-analysis-manual-unpacking-of-redaman-ec1782352cfb", "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", "https://www.youtube.com/watch?v=YXnNO3TipvM", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html" ], "synonyms": [ "Redaman" ], "type": [] }, "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", "value": "RTM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm_locker", "https://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/", "https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html", "https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux" ], "synonyms": [ "Read The Manual Locker" ], "type": [] }, "uuid": "b299d033-7772-44a6-a8e0-6b8c5f8af5c6", "value": "RTM Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", "http://reversing.fun/posts/2022/01/30/rtpos.html" ], "synonyms": [], "type": [] }, "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", "value": "rtpos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ], "synonyms": [], "type": [] }, "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", "value": "Ruckguv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" ], "synonyms": [], "type": [] }, "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", "value": "Rumish" }, { "description": "NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/", "https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining" ], "synonyms": [ "running_rat" ], "type": [] }, "uuid": "b746a645-5974-44db-a811-a024214b7fba", "value": "Running RAT" }, { "description": "RURansom shows characteristics of typical ransomware, but despite its name, TrendMicro's assumptions after analysis showed that this malware is more a wiper than ransomware, because the irreversible destruction of encrypted files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruransom", "https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html", "https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html", "https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/" ], "synonyms": [], "type": [] }, "uuid": "bdcfb449-e897-4c44-a429-7665cce194fe", "value": "RURansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" ], "synonyms": [ "RCSU" ], "type": [] }, "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", "value": "Rurktar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustbucket", "https://sansorg.egnyte.com/dl/3P3HxFiNgL", "https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/" ], "synonyms": [], "type": [] }, "uuid": "832680ff-8b29-492e-8523-62510eb5d021", "value": "RustBucket (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", "https://www.secureworks.com/blog/research-21041", "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", "https://darknetdiaries.com/episode/110/", "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/" ], "synonyms": [], "type": [] }, "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", "value": "Rustock" }, { "description": "Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/", "https://twitter.com/ffforward/status/1324281530026524672", "https://www.youtube.com/watch?v=HwfRxjV2wok", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://twitter.com/SophosLabs/status/1321844306970251265", "https://0xchina.medium.com/malware-reverse-engineering-31039450af27", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://twitter.com/Prosegur/status/1199732264386596864", "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://twitter.com/SecurityJoes/status/1402603695578157057", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up", "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", "https://twitter.com/anthomsec/status/1321865315513520128", "https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects", "https://github.com/scythe-io/community-threats/tree/master/Ryuk", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP", "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more", "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/", "https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/", "https://ia.acs.org.au/article/2019/hospital-cyberattack-could-have-been-avoided.html", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html", "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://blog.reversinglabs.com/blog/hunting-for-ransomware", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.youtube.com/watch?v=7xxRunBP5XA", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://community.riskiq.com/article/0bcefe76", "https://arcticwolf.com/resources/blog/karakurt-web", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/", "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html", "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/", "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c", "https://blog.cyberint.com/ryuk-crypto-ransomware", "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021", "https://community.riskiq.com/article/c88cf7e6", "https://twitter.com/IntelAdvanced/status/1356114606780002308", "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/", "https://www.youtube.com/watch?v=BhjQ6zsCVSc", "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://www.youtube.com/watch?v=Of_KjNG9DHc", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/", "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://twitter.com/IntelAdvanced/status/1353546534676258816", "https://www.youtube.com/watch?v=CgDtm05qApE", "https://www.scythe.io/library/threatthursday-ryuk", "https://www.secureworks.com/research/threat-profiles/gold-ulrick" ], "synonyms": [], "type": [] }, "uuid": "62c79940-184e-4b8d-9237-35434bb79678", "value": "Ryuk" }, { "description": "Information Stealer that searches for sensitive documents and uploads its results to an FTP server. Skips files with known Ryuk extensions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer", "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/", "https://twitter.com/VK_Intel/status/1171782155581689858", "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/", "https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf" ], "synonyms": [ "Sidoh" ], "type": [] }, "uuid": "0f0e5355-1dbf-4af4-aebf-88b08e6272a4", "value": "Ryuk Stealer" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sadogo", "https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "188528f1-1292-4aaa-b1e6-3fe0ab78ff81", "value": "Sadogo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saefko", "https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat" ], "synonyms": [], "type": [] }, "uuid": "60124475-1c52-4108-81cf-7b9fa0f0d3bb", "value": "Saefko" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.safenet", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf" ], "synonyms": [], "type": [] }, "uuid": "d16f9dc6-290d-4174-8b47-a972cc52dac7", "value": "SafeNet" }, { "description": "According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority" ], "synonyms": [], "type": [] }, "uuid": "d8228309-ebf8-46fd-a968-bd9e24c498b4", "value": "Sagerunex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", "https://www.cert.pl/en/news/single/sage-2-0-analysis/", "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", "http://malware-traffic-analysis.net/2017/10/13/index.html", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/" ], "synonyms": [ "Saga" ], "type": [] }, "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", "value": "SAGE" }, { "description": "FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html" ], "synonyms": [], "type": [] }, "uuid": "08817c1e-3a90-4c9b-b332-52ebe72669c5", "value": "SaiGon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot", "https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/", "https://unit42.paloaltonetworks.com/atoms/nascentursa/", "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", "https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://cert.gov.ua/article/18419" ], "synonyms": [], "type": [] }, "uuid": "aa0afca8-551e-4fc7-a314-f541b80c6833", "value": "Saint Bot" }, { "description": "This in .Net witten backdoor abuses the DNS protocoll for its C2 communication. Also other techniques (e.g. long random sleeps, compression) are used to become more stealthy.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saitama", "https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/", "https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html", "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html", "https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt", "https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738" ], "synonyms": [ "AMATIAS", "Saitama" ], "type": [] }, "uuid": "435e482d-adfe-4b28-936e-d13fda800767", "value": "Saitama Backdoor" }, { "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/sakula-malware-family", "https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group", "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", "https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", "https://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion" ], "synonyms": [ "Sakurel" ], "type": [] }, "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", "value": "Sakula RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf", "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware", "https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/" ], "synonyms": [ "BadCake" ], "type": [] }, "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", "value": "Salgorea" }, { "description": "F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.\r\n\r\nModern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.\r\n\r\nInfection\r\nSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.\r\n\r\nEarlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.\r\n\r\nPayload\r\nOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", "https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py", "https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/", "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", "https://unit42.paloaltonetworks.com/c2-traffic/", "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [], "type": [] }, "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", "value": "Sality" }, { "description": "According to PCrisk, SamoRAT is a Remote Access Trojan (RAT), a type of malware that allows the cyber criminals responsible to monitor and control the infected computer. In most cases, RATs are used to steal sensitive information and/or install other malware onto the infected computer. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samo_rat", "https://business.xunison.com/analysis-of-samorat/" ], "synonyms": [], "type": [] }, "uuid": "e2db8349-7535-4748-96ac-a18985cf66b8", "value": "SamoRAT" }, { "description": "According to PCrisk, Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files stored on computers networked to the infected server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", "https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/", "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://www.secureworks.com/blog/samas-ransomware", "https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/", "https://www.secureworks.com/research/samsam-ransomware-campaigns", "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", "https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/", "https://www.secureworks.com/research/threat-profiles/gold-lowell", "https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/", "https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit", "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", "https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/", "https://www.justice.gov/opa/press-release/file/1114746/download" ], "synonyms": [ "Samas" ], "type": [] }, "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", "value": "SamSam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", "https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html" ], "synonyms": [], "type": [] }, "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", "value": "Sanny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sapphire_miner", "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html" ], "synonyms": [], "type": [] }, "uuid": "32e9c2ce-08a6-47ee-8636-ea83711930b1", "value": "SapphireMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sapphire_stealer", "https://github.com/0day2/SapphireStealer/" ], "synonyms": [], "type": [] }, "uuid": "e1b2b792-033a-438d-a9c4-4d2adf1abb43", "value": "SapphireStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache", "https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails", "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html", "https://blog.alyac.co.kr/2219", "https://blog.alyac.co.kr/m/2219", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "056eca1f-4195-48c3-81d8-ed554dd1de20", "value": "SappyCache" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" ], "synonyms": [ "ENDCMD", "Hussarini" ], "type": [] }, "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", "value": "Sarhust" }, { "description": "Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis", "https://www.symantec.com/security-center/writeup/2010-020210-5440-99", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/" ], "synonyms": [ "Oficla" ], "type": [] }, "uuid": "4c4ceb45-b326-45aa-8f1a-1229e90c78b4", "value": "Sasfis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satacom", "https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/" ], "synonyms": [ "LegionLoader" ], "type": [] }, "uuid": "b08af3b5-2453-4d4b-972a-32e6602410f2", "value": "Satacom" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", "https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html", "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2", "https://www.sangfor.com/source/blog-network-security/1094.html", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/", "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" ], "synonyms": [ "5ss5c", "DBGer", "Lucky Ransomware" ], "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", "value": "Satan" }, { "description": "According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", "https://www.cylance.com/threat-spotlight-satan-raas", "https://blog.reversinglabs.com/blog/retread-ransomware" ], "synonyms": [], "type": [] }, "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", "value": "Satana" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla", "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/", "https://nsarchive.gwu.edu/sites/default/files/documents/3921357/Government-of-Canada-Hackers-are-Humans-Too.pdf" ], "synonyms": [], "type": [] }, "uuid": "957f6c4a-c750-4ba3-820f-5a19d444a57a", "value": "Satellite Turla" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/" ], "synonyms": [], "type": [] }, "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", "value": "Sathurbot" }, { "description": "According to CISA, this is a command-line port scanning utility from Foundstone. It is used to scan for open UDP and TCP ports, grab banners from open ports, resolve IP addresses to host names, and bind to specified ports and IP addresses.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanline", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a", "https://www.cisa.gov/news-events/analysis-reports/ar24-038a" ], "synonyms": [], "type": [] }, "uuid": "56d01dfe-6f23-4f76-9fa3-e30e514b8f7f", "value": "ScanLine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scano", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Scano&threatId=-2147382494" ], "synonyms": [], "type": [] }, "uuid": "cf619d43-0c69-4644-bcd9-e76ceb7c0d88", "value": "Scano" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://securitykitten.github.io/2016/11/15/scanpos.html", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-11-15-scanpos.md" ], "synonyms": [], "type": [] }, "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", "value": "ScanPOS" }, { "description": "Ransomware with ransomnote in Russian and encryption extension .scarab.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey", "https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html" ], "synonyms": [ "MVP", "Scarab", "Scarab-Russian" ], "type": [] }, "uuid": "76d20f49-9367-4d36-95d2-7ef8ff55568d", "value": "Scarabey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarab_ransom", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/", "http://malware-traffic-analysis.net/2017/11/23/index.html" ], "synonyms": [], "type": [] }, "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", "value": "Scarab Ransomware" }, { "description": "Based on the leaked Conti source code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants" ], "synonyms": [], "type": [] }, "uuid": "7e8e41de-b3f8-4c2b-a9fe-e1aa6532e76b", "value": "ScareCrow" }, { "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", "https://github.com/vithakur/schneiken", "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb" ], "synonyms": [], "type": [] }, "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", "value": "Schneiken" }, { "description": "The Chinese threat actor has used a custom backdoor dubbed \"Scieron\" over years in several campaigns according to SentinelLABS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scieron", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363", "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/" ], "synonyms": [], "type": [] }, "uuid": "e343583b-8338-42ea-af60-311578146151", "value": "Scieron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" ], "synonyms": [], "type": [] }, "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", "value": "Scote" }, { "description": "A downloader that uses Windows messages to control its execution flow.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scout", "https://asec.ahnlab.com/en/57685/" ], "synonyms": [], "type": [] }, "uuid": "ca16e8fa-5a86-48be-82ca-40a666b8692b", "value": "Scout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos", "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf", "https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/" ], "synonyms": [], "type": [] }, "uuid": "b5d90140-f307-402c-9d7f-9cdf21a7cb31", "value": "Scranos" }, { "description": "SentinelOne describes this malware as capable of doing screen capture and keylogging. It is uses by a threat cluster they named WIP19, targeting telecommunications and IT service providers in the Middle East and Asia.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.screencap", "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/" ], "synonyms": [], "type": [] }, "uuid": "cba2db46-268c-4203-a982-3bf9985c91a4", "value": "ScreenCap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", "https://twitter.com/struppigel/status/791535679905927168" ], "synonyms": [], "type": [] }, "uuid": "9803b201-28e5-40c5-b661-c1a191388072", "value": "ScreenLocker" }, { "description": "ScrubCrypt is the rebranded \"Jlaive\" crypter, with a unique capability of .BAT packing", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scrubcrypter", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/scrubcrypt-the-rebirth-of-jlaive", "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/", "https://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/" ], "synonyms": [], "type": [] }, "uuid": "6f597339-7eac-4885-b888-bf8a81bca7b3", "value": "ScrubCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://vblocalhost.com/uploads/VB2020-Jung.pdf", "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://github.com/Tera0017/SDBbot-Unpacker", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "48bbf0b7-d8c3-4ddb-8498-cf8e72b210d8", "value": "SDBbot" }, { "description": "Backdoor written in Python 2, deployed with PyInstaller.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [ "SeaDuke", "Seadask" ], "type": [] }, "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", "value": "SEADADDY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", "value": "SeaSalt" }, { "description": "SectopRAT, aka ArechClient2, is a .NET RAT with numerous capabilities including multiple stealth functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat", "https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication", "https://cdn-production.blackpointcyber.com/wp-content/uploads/2022/11/01161208/Blackpoint-Cyber-Ratting-out-Arechclient2-Whitepaper.pdf", "https://dr4k0nia.github.io/posts/Analysing-a-sample-of-ArechClient2/", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://tampabay.tech/2022/11/30/arechclient2/", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs", "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers", "https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65", "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", "https://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8", "https://cyberflorida.org/2022/11/arechclient2/" ], "synonyms": [ "1xxbot", "ArechClient" ], "type": [] }, "uuid": "a7e3b468-399c-419c-87d5-4efcea8ec0cc", "value": "SectopRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] }, "uuid": "272268bb-2715-476b-a121-49142581c559", "value": "SeDll" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html" ], "synonyms": [ "azzy", "eviltoss" ], "type": [] }, "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", "value": "Sedreco" }, { "description": "simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/", "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [ "GAMEFISH", "carberplike", "downrage", "jhuhugit", "jkeyskw" ], "type": [] }, "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "value": "Seduploader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seinup", "https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html" ], "synonyms": [], "type": [] }, "uuid": "9789dfe8-d156-4f19-8177-25718dd14f1f", "value": "seinup" }, { "description": "According to PCrisk, Sekhmet is ransomware. This malicious program operates by encrypting data and demanding ransom payments for decryption. During the encryption process, all affected files are appended with an extension, consisting of random characters (e.g. \".HrUSsw\", \".WNgh\", \".NdWfEr\", etc.).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet", "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html" ], "synonyms": [], "type": [] }, "uuid": "b4b4e8c8-fc66-4618-ba35-75f21d7d6922", "value": "Sekhmet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.selfmake", "https://twitter.com/8th_grey_owl/status/1481433481485844483", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" ], "synonyms": [], "type": [] }, "uuid": "2ef98145-45b8-4acf-ba28-71f495581387", "value": "SelfMake Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf" ], "synonyms": [], "type": [] }, "uuid": "503ca41c-7788-477c-869b-ac530f20c490", "value": "SendSafe" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys", "https://id-ransomware.blogspot.com/2020/02/sepsys-ransomware.html" ], "synonyms": [ "Silvertor Ransomware" ], "type": [] }, "uuid": "08f37434-4aba-439f-afae-fed61f411ac4", "value": "SepSys" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher", "https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic", "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global" ], "synonyms": [], "type": [] }, "uuid": "6025475a-b89d-401d-882d-50fe1b03154f", "value": "Sepulcher" }, { "description": "This malware is protected using VMProtect and related to the loading of KEYPLUG.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serialvlogger", "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf" ], "synonyms": [], "type": [] }, "uuid": "0592daf4-5f68-4087-ad4e-efe773009ca6", "value": "SerialVlogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpent", "https://labs.k7computing.com/index.php/uncovering-the-serpent/" ], "synonyms": [], "type": [] }, "uuid": "446f7e21-f4d0-4725-b1fb-254b090c3e4f", "value": "Serpent Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" ], "synonyms": [], "type": [] }, "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", "value": "Serpico" }, { "description": "ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.\r\n\r\nProofPoint noticed two distinct variant - \"tunnel\" and \"downloader\" (citation):\r\n\"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.\"\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", "https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56", "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", "https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://insights.oem.avira.com/ta505-apt-group-targets-americas/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/" ], "synonyms": [], "type": [] }, "uuid": "cebfa7af-8c31-4dda-8373-82893c7f43f4", "value": "ServHelper" }, { "description": "A malicious IIS module that allows up/download of files, remote command execution, and using the compromised server as a hop into the network behind.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.session_manager", "https://securelist.com/the-sessionmanager-iis-backdoor/106868/" ], "synonyms": [], "type": [] }, "uuid": "2ed6f7dc-32ba-4799-87b6-8867e8182cec", "value": "SessionManager" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sfile", "https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/", "https://id-ransomware.blogspot.com/2020/02/sfile2-ransomware.html", "https://twitter.com/GrujaRS/status/1296856836944076802?s=20" ], "synonyms": [ "Escal", "Morseop" ], "type": [] }, "uuid": "6899dd08-a94b-4e76-813e-1b8437d23aa4", "value": "Sfile" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", "https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/", "https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows", "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", "https://norfolkinfosec.com/the-first-stage-of-shadowhammer/", "https://www.youtube.com/watch?v=T5wPwvLrBYU", "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://securelist.com/operation-shadowhammer/89992/", "https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/", "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", "https://mauronz.github.io/shadowhammer-backdoor" ], "synonyms": [ "DAYJOB" ], "type": [] }, "uuid": "51728278-a95c-45a5-9ae0-9897d41d0efb", "value": "shadowhammer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf", "https://www.welivesecurity.com/2022/09/06/worok-big-picture/", "https://www.youtube.com/watch?v=r1zAVX_HnJg", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://securelist.com/shadowpad-in-corporate-networks/81432/", "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://www.ic3.gov/Media/News/2021/211220.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", "https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html", "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", "https://community.riskiq.com/article/d8b749f2", "https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates", "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf", "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", "https://attack.mitre.org/groups/G0096", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", "https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", "https://www.youtube.com/watch?v=IRh6R8o1Q7U", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", "https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/", "https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://www.youtube.com/watch?v=_fstHQSK-kk", "https://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/", "https://www.youtube.com/watch?v=i52MH-YFEeo", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2", "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/slides/Slides-Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf", "https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor", "https://www.youtube.com/watch?v=55kaaMGBARM", "https://www.secureworks.com/research/shadowpad-malware-analysis", "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", "https://www.youtube.com/watch?v=YCwyc6SctYs", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://www.youtube.com/watch?v=-7Swd1ZetiQ", "https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/", "https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks", "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/", "https://www.youtube.com/watch?v=qk9XLDBLPXg", "https://harfanglab.io/en/insidethelab/isoon-leak-analysis/", "https://vms.drweb.com/virus/?i=21995048", "https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html", "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [ "POISONPLUG.SHADOW", "XShellGhost" ], "type": [] }, "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", "value": "ShadowPad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shady_hammock", "https://blog.talosintelligence.com/uat-5647-romcom/" ], "synonyms": [], "type": [] }, "uuid": "5df8173a-8c36-422e-b3f2-7df6503808a7", "value": "ShadyHammock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/" ], "synonyms": [], "type": [] }, "uuid": "f64683c8-50ab-42c0-8b90-881598906528", "value": "Shakti" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [], "type": [] }, "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", "value": "SHAPESHIFT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [ "remotecmd" ], "type": [] }, "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", "value": "shareip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shark", "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/" ], "synonyms": [], "type": [] }, "uuid": "d00c8f94-d6b5-40b7-b167-fc546c5dec38", "value": "Shark" }, { "description": ".NET reimplementation of Cobalt Strike beacon/stager", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpbeacon", "https://github.com/mai1zhi2/SharpBeacon" ], "synonyms": [], "type": [] }, "uuid": "12c0e80c-c439-4eaf-9272-f78b16010313", "value": "SharpBeacon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", "https://eromang.zataz.com/tag/agentbase-exe/" ], "synonyms": [ "Bitrep" ], "type": [] }, "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", "value": "SHARPKNOT" }, { "description": "This tool is made to simplify penetration testing of networks and to create a Swiss-army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpmapexec", "https://github.com/cube0x0/SharpMapExec" ], "synonyms": [], "type": [] }, "uuid": "e9940cca-6e3a-45e2-88b7-8fa9ae19c647", "value": "SharpMapExec" }, { "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/" ], "synonyms": [ "LastConn" ], "type": [] }, "uuid": "11788d9b-485b-4049-ba5e-1b06d526361e", "value": "SharpStage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstats", "https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf" ], "synonyms": [], "type": [] }, "uuid": "819fd946-ed0e-4cec-ad45-66b88e39b732", "value": "SHARPSTATS" }, { "description": "Kaspersky Labs observed Andariel to drop this ransomware in one case within a series of attacks carried out against targets in South Korea in April 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shatteredglass", "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", "https://github.com/Hildaboo/Unidentified081Server", "https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine" ], "synonyms": [ "Unidentified 081" ], "type": [] }, "uuid": "2eb8ca65-186b-44ae-bd91-189b3eb5ed54", "value": "SHATTEREDGLASS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shellclient", "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/", "https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms" ], "synonyms": [ "GhostShell" ], "type": [] }, "uuid": "f91adcf2-10ce-4ea3-bfae-ea6e270d56f0", "value": "ShellClient RAT" }, { "description": "PCRIsk states that ShellLocker is a ransomware-type virus developed using .NET framework. It was first discovered by Jakub Kroustek and is virtually identical to another ransomware virus called Exotic.\r\n\r\nFollowing infiltration, this virus encrypts stored data (video, audio, etc.) and renames encrypted files using the \"[random_characters].L0cked\" pattern (e.g., \"sample.jpg\" might be renamed to \"gd&=AA0fgoi.L0cked\"). Following successful encryption, ShellLocker opens a pop-up window containing ransom-demand message.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", "https://twitter.com/JaromirHorejsi/status/813726714228604928" ], "synonyms": [], "type": [] }, "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", "value": "ShellLocker" }, { "description": "Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/", "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/" ], "synonyms": [], "type": [] }, "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", "value": "Shifu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", "https://www.secureworks.com/research/threat-profiles/bronze-walker", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], "synonyms": [], "type": [] }, "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", "value": "Shim RAT" }, { "description": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape", "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "07470989-faac-44fb-b505-1d5568b3c716", "value": "SHIPSHAPE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ], "synonyms": [], "type": [] }, "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", "value": "Shujin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurk", "https://www.pcrisk.com/removal-guides/21513-shurk-steal-malware" ], "synonyms": [], "type": [] }, "uuid": "0a8f367d-b63f-4424-bd63-bb6a69d31b63", "value": "Shurk Steal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" ], "synonyms": [], "type": [] }, "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", "value": "Shurl0ckr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", "https://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", "https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/" ], "synonyms": [ "Caphaw" ], "type": [] }, "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", "value": "Shylock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidetwist", "https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" ], "synonyms": [], "type": [] }, "uuid": "3275503c-1f0a-4f6c-b13b-ec4ca2b29786", "value": "SideTwist" }, { "description": "Shellcode-based malware family that according to ESET Research was likely written by the same authors as win.crosswalk. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware" ], "synonyms": [ "ScrambleCross" ], "type": [] }, "uuid": "497d1e0f-dd0c-4462-b3e2-fb4a22f8333f", "value": "SideWalk (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://s.tencent.com/research/report/479.html", "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/", "https://s.tencent.com/research/report/659.html", "https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://www.secrss.com/articles/26507", "https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/" ], "synonyms": [], "type": [] }, "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", "value": "SideWinder (Windows)" }, { "description": "Ransomware used by threat actor group DEV-0530, attributed by MSTIC to North Korean origin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_blue", "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a" ], "synonyms": [ "H0lyGh0st", "HolyLocker" ], "type": [] }, "uuid": "607ba366-85fa-406f-adef-6ea7b437b39c", "value": "SiennaBlue" }, { "description": "Ransomware used by threat actor group DEV-0530, attributed by MSTIC to North Korean origin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_purple", "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a" ], "synonyms": [ "H0lyGh0st", "HolyLocker" ], "type": [] }, "uuid": "5ae172d0-5742-4c4b-8847-2efaf9dfb121", "value": "SiennaPurple" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", "https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://www.us-cert.gov/ncas/alerts/TA14-353A", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [ "Destover" ], "type": [] }, "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", "value": "Sierra(Alfa,Bravo, ...)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siesta_graph", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", "https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph", "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat", "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns", "https://x.com/threatintel/status/1701259256199090217" ], "synonyms": [], "type": [] }, "uuid": "a4f4464a-a8d6-4244-af0a-4a8163ab9f47", "value": "SiestaGraph" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" ], "synonyms": [], "type": [] }, "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", "value": "Siggen6" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sigloader", "https://www.lac.co.jp/lacwatch/report/20201201_002363.html" ], "synonyms": [], "type": [] }, "uuid": "48bf4991-4743-404a-aac1-72855b30e225", "value": "SigLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sihost", "https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/" ], "synonyms": [], "type": [] }, "uuid": "c1b6e597-17e6-4485-819e-5aa03904bc61", "value": "sihost" }, { "description": "According to PCrisk, Truebot, also known as Silence.Downloader, is a malicious program that has botnet and loader/injector capabilities. This malware can add victims' devices to a botnet and cause chain system infections (i.e., download/install additional malicious programs/components).\r\n\r\nThere is significant variation in Truebot's infection chains and distribution. It is likely that the attackers using this malicious software will continue to make such changes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/", "https://securelist.com/the-silence/83009/", "https://malware.love/malware_analysis/reverse_engineering/2023/02/18/analyzing-truebot-static-unpacking.html", "https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html", "https://github.com/Tera0017/TAFOF-Unpacker", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://norfolkinfosec.com/some-notes-on-the-silence-proxy/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html", "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/", "https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html", "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a", "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", "https://www.group-ib.com/resources/threat-research/silence.html", "http://www.intezer.com/silenceofthemoles/", "https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere", "https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://www.youtube.com/watch?v=FttiysUZmDw", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf", "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/" ], "synonyms": [ "TrueBot" ], "type": [] }, "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", "value": "Silence" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silentgh0st", "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "synonyms": [], "type": [] }, "uuid": "49a06512-fc83-4fc5-b58d-59e0d4005055", "value": "SilentGh0st" }, { "description": "According to Mandiant, SILENTUPLOADER is an uploader written in MSIL that is dropped by DOSTEALER and is designed to work specifically in tandem with it. It checks for files in a specified folder every 30 seconds and uploads them to a remote server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silentuploader", "https://www.mandiant.com/media/17826", "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "synonyms": [], "type": [] }, "uuid": "3ed237f1-35b9-4e74-a37e-966bf023d136", "value": "SILENTUPLOADER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm", "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html" ], "synonyms": [], "type": [] }, "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", "value": "Silon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" ], "synonyms": [], "type": [] }, "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", "value": "Siluhdur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", "https://estr3llas.github.io/unveiling-custom-packers-a-comprehensive-guide/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.youtube.com/watch?v=u2HEGDzd8KM", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://secrary.com/ReversingMalware/iBank/", "https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/" ], "synonyms": [ "iBank" ], "type": [] }, "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", "value": "Simda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "b56173a1-84e3-4551-ac4a-9e71e65dc9e5", "value": "SimpleFileMover" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.recordedfuture.com/turla-apt-infrastructure/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://en.wikipedia.org/wiki/Torpig", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" ], "synonyms": [ "Anserin", "Mebroot", "Quarian", "Theola", "Torpig" ], "type": [] }, "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", "value": "Sinowal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/" ], "synonyms": [], "type": [] }, "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", "value": "Sisfader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skimer", "http://atm.cybercrime-tracker.net/index.php", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] }, "uuid": "6d5e558a-e640-49c3-87b9-2c102c334b1b", "value": "Skimer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skinnyboy", "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf", "https://cybergeeks.tech/skinnyboy-apt28/" ], "synonyms": [], "type": [] }, "uuid": "fce8d9c9-7d83-4221-b726-5c49ea271109", "value": "SkinnyBoy" }, { "description": "A Microsoft SQL Server backdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20", "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "6a59a639-8070-4c5f-86be-8a2a081cf487", "value": "skip-2.0" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Kotel" ], "type": [] }, "uuid": "fac6313b-8068-429c-93ae-21e8072cf667", "value": "Skipper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" ], "synonyms": [], "type": [] }, "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", "value": "Skyplex" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slam", "https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/" ], "synonyms": [], "type": [] }, "uuid": "400e437d-13b3-44d9-8f75-34f5e82d6c88", "value": "Slam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", "value": "Slave" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045b", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/" ], "synonyms": [], "type": [] }, "uuid": "a82f80fc-71e8-4dee-8a64-e5cbb4100321", "value": "SLICKSHOES" }, { "description": "- 2012 first sighted\r\n- Attack vector via compromised Mikrotik routers where victims get infection when they connect to Mikrotik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Mikrotik Router > Malicious DLL (IP4.dll) in Router > User connect via winbox > Malicious DLL downloaded on computer", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/", "https://securelist.com/apt-slingshot/84312/", "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf" ], "synonyms": [], "type": [] }, "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", "value": "Slingshot" }, { "description": "According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver", "https://asec.ahnlab.com/en/55652/", "https://embeeresearch.io/shodan-censys-queries/", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://embee-research.ghost.io/shodan-censys-queries/", "https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/", "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", "https://github.com/chronicle/GCTI", "https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/", "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", "https://asec.ahnlab.com/en/56941/", "https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools", "https://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://www.telsy.com/download/5900/?uid=b797afdcfb", "https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/", "https://asec.ahnlab.com/en/47088/", "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition", "https://github.com/BishopFox/sliver", "https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf", "https://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc", "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike" ], "synonyms": [], "type": [] }, "uuid": "654c478e-3c9a-4fd9-a9b7-dd6839f51147", "value": "Sliver" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slnrat", "https://asec.ahnlab.com/ko/37764/" ], "synonyms": [], "type": [] }, "uuid": "68bb36d3-d078-483d-b559-e0d8da5f45fe", "value": "slnrat" }, { "description": "According to MITRE, SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia", "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" ], "synonyms": [ "QueenOfClubs" ], "type": [] }, "uuid": "f23d70bc-7de6-49bd-bb69-82518b4d7fca", "value": "SlothfulMedia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub", "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/", "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bc01fca-9a1e-4669-bd9d-8dd29416f9c1", "value": "SLUB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" ], "synonyms": [ "speccom" ], "type": [] }, "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", "value": "smac" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smackdown", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2013/2013.05.20.Operation_Hangover/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" ], "synonyms": [], "type": [] }, "uuid": "427dcec9-e2b9-44ad-bf58-281b7ba971bb", "value": "Smackdown" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager", "https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html", "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://blog.group-ib.com/task", "https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214", "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html", "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/", "https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4", "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html" ], "synonyms": [ "PhantomNet" ], "type": [] }, "uuid": "1a6a6e4c-3e0e-422b-9840-9c6286dc7b17", "value": "SManager" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smarteyes", "https://www.virustotal.com/gui/file/4eb840617883bf6ed7366242ffee811ad5ea3d5bfd2a589a96d6ee9530690d28/details" ], "synonyms": [], "type": [] }, "uuid": "67723f6e-822b-475a-938b-c9114b9aefea", "value": "SmartEyes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smartloader", "https://research.openanalysis.net/github/lua/2024/03/03/lua-malware.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/" ], "synonyms": [], "type": [] }, "uuid": "af011dc6-e8a3-4a06-9fb8-42045cea92c5", "value": "SmartLoader" }, { "description": "According to PCrisk, Smaug ransomware is available for download on the dark web: it is for sale as Ransomware as a Service (RaaS). Therefore, cyber criminals who purchase it can perform ransomware attacks without having to develop malware of this type. Smaug is designed to encrypt files, rename them and create a ransom message.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug", "https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/", "https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html" ], "synonyms": [], "type": [] }, "uuid": "b81cbf03-8909-4833-badf-4df32c9bf6cb", "value": "SMAUG" }, { "description": "According to Mandiant, SMOKEDHAM is dropped through a powershell script that contains the (C#) source code for this backdoor, which is stored in an encrypted variable. The dropper dynamically defines a cmdlet and .NET class for the backdoor, meaning the compiled code is only found in memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokedham", "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise", "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", "https://www.mandiant.com/resources/burrowing-your-way-into-vpns" ], "synonyms": [], "type": [] }, "uuid": "7547af7d-e4fe-4ee1-8a3d-55981740b78c", "value": "SMOKEDHAM" }, { "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", "https://irfan-eternal.github.io/understanding-internals-of-smokeloader/", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://www.silentpush.com/blog/privacy-tools-not-for-you", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html", "https://asec.ahnlab.com/en/36634/", "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/october/The%20Surge%20in%20Smokeloader%20Attacks%20on%20Ukrainian%20Institutions%20UA.pdf", "https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html", "https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-1", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/", "https://youtu.be/QOypldw6hnY?t=3237", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", "https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view", "https://research.checkpoint.com/2019-resurgence-of-smokeloader/", "https://hatching.io/blog/tt-2020-08-27/", "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html", "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/", "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", "https://farghlymal.github.io/SmokeLoader-Analysis/", "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", "https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://suvaditya.one/malware-analysis/smokeloader/", "https://scpc.gov.ua/api/files/8e300d33-6257-4d7f-8f72-457224268343", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://infosec.exchange/@spamhaus/112008862430254522", "https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US", "http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer", "https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/", "https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf", "https://intel471.com/blog/privateloader-malware", "https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://asec.ahnlab.com/en/33600/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://m.alvar.es/2020/06/unpacking-smokeloader-and.html", "https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities", "https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/", "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/", "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/", "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer", "https://insights.loaderinsight.agency/posts/vidar-build-id-correlation/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", "https://embee-research.ghost.io/smokeloader-analysis-with-procmon/", "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise", "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", "https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd", "https://x0r19x91.in/malware-analysis/smokeloader/", "http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html", "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", "https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem", "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/" ], "synonyms": [ "Dofoil", "Sharik", "Smoke", "Smoke Loader" ], "type": [] }, "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "value": "SmokeLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" ], "synonyms": [ "Ismo" ], "type": [] }, "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", "value": "Smominru" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32", "https://www.youtube.com/watch?v=7gCU31ScJgk", "https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/" ], "synonyms": [], "type": [] }, "uuid": "1fe0b2fe-5f9b-4359-b362-be611537442a", "value": "Smrss32" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sn0wslogger", "https://twitter.com/struppigel/status/1354806038805897216" ], "synonyms": [], "type": [] }, "uuid": "17c6c227-5c9b-40eb-886b-19e2b137c5e8", "value": "Sn0wsLogger" }, { "description": "Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake", "https://twitter.com/milkr3am/status/1270019326976786432", "https://twitter.com/bad_packets/status/1270957214300135426", "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017", "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md", "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/", "https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/", "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/", "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/", "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", "https://www.goggleheadedhacker.com/blog/post/22", "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/", "https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware/", "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems", "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/" ], "synonyms": [ "EKANS", "SNAKEHOSE" ], "type": [] }, "uuid": "547deef9-67c3-483e-933d-171ee8b6b918", "value": "Snake" }, { "description": "Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch", "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://twitter.com/VK_Intel/status/1191414501297528832", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/" ], "synonyms": [], "type": [] }, "uuid": "98139439-6863-439c-b4d0-c6893f1afb23", "value": "Snatch" }, { "description": "Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto", "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/", "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", "https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf", "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf" ], "synonyms": [ "BackbitingTea" ], "type": [] }, "uuid": "b7affd90-6551-4266-b864-a0b9f6d5b309", "value": "SnatchCrypto" }, { "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", "https://www.youtube.com/watch?v=k3sM88o_maM", "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", "https://twitter.com/VK_Intel/status/898549340121288704", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" ], "synonyms": [], "type": [] }, "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", "value": "SnatchLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [ "ByeByeShell" ], "type": [] }, "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", "value": "SNEEPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", "https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/", "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf", "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/", "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef" ], "synonyms": [ "Ursnif" ], "type": [] }, "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", "value": "Snifula" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" ], "synonyms": [], "type": [] }, "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", "value": "Snojan" }, { "description": "Information stealer, written in Rust.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snowflake_stealer", "https://github.com/Finch4/Malware-Analysis-Reports/blob/master/SnowFlake%20Stealer/SnowFlake%20Stealer%20Analysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "7ddfdf14-ec97-48ea-88a6-055147583dc3", "value": "SnowFlake Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" ], "synonyms": [], "type": [] }, "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", "value": "SNS Locker" }, { "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] }, "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", "value": "Sobaken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig", "http://edition.cnn.com/2003/TECH/internet/08/21/sobig.virus/index.html" ], "synonyms": [ "Palyh" ], "type": [] }, "uuid": "4e9f85e7-0575-40e5-8799-288ec28237ca", "value": "Sobig" }, { "description": "Socelars is an infostealer with main focus on:\r\n* Facebook Stealer (ads/manager)\r\n* Cookie Stealer | AdsCreditCard {Amazon}", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://twitter.com/VK_Intel/status/1201584107928653824", "https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/", "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] }, "uuid": "4366ea63-b784-428c-bb00-89ee99eaf8c3", "value": "Socelars" }, { "description": "Sockbot is a customized and in Go written fork of the Ligolo reverse tunneling open-source \r\ntool. Several modification were performed by the threat actors who rewrote that code, e.g. execution checks, hardcoded values.\r\nLigolo: https://github.com/sysdream/ligolo", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sockbot", "https://www.youtube.com/watch?v=CAMnuhg-Qos", "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/", "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf" ], "synonyms": [], "type": [] }, "uuid": "b477dcfb-281c-4bef-9a23-f004ebe5a465", "value": "Sockbot" }, { "description": "The Socks5 Systemz malware is a proxy botnet distributed via the PrivateLoader and Amadey loaders. Active since at least 2016, this botnet infects devices to use them as proxies for malicious activities, offering access for prices ranging from $1 to $140 per day in cryptocurrency. It employs a domain generation algorithm (DGA) to evade detection and enhance its resilience. Persistence is maintained through a Windows service named ContentDWSvc, with the malware injected into memory via a file called previewer.exe. To date, it has compromised approximately 10,000 devices globally, excluding Russia.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz", "https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey", "https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://csirtasobancaria.com/nueva-actividad-del-backdoor-socks5systemz" ], "synonyms": [], "type": [] }, "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", "value": "Socks5 Systemz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", "https://threatminer.org/report.php?q=Accenture-Goldfin-Security-Alert.pdf&y=2018", "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta" ], "synonyms": [ "BIRDDOG", "Nadrac" ], "type": [] }, "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", "value": "SocksBot" }, { "description": "This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf" ], "synonyms": [ "DelfsCake", "HEAVYPOT", "dfls" ], "type": [] }, "uuid": "016ea180-ec16-48ce-88ea-c78d8db369d5", "value": "SodaMaster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solar", "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/" ], "synonyms": [], "type": [] }, "uuid": "1a11c0a9-8ab8-4e98-a7e6-e575eba33c93", "value": "Solar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", "https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/", "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" ], "synonyms": [ "Napolar" ], "type": [] }, "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", "value": "Solarbot" }, { "description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker", "https://embeeresearch.io/shodan-censys-queries/", "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", "https://embee-research.ghost.io/shodan-censys-queries/", "https://hunt.io/blog/solarmarker-hunt-insight-and-findings", "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more", "https://unit42.paloaltonetworks.com/solarmarker-malware/", "https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", "https://www.recordedfuture.com/exploring-the-depths-of-solarmarkers-multi-tiered-infrastructure", "https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer", "https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/", "https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html", "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/", "https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/", "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", "https://twitter.com/MsftSecIntel/status/1403461397283950597", "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise", "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/", "https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire", "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker", "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer", "https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf" ], "synonyms": [ "Jupyter", "Polazert", "Yellow Cockatoo" ], "type": [] }, "uuid": "4e08d816-9fe3-42ae-b7e4-f7182445f304", "value": "solarmarker" }, { "description": "Ransomware, written in .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solidbit", "https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html" ], "synonyms": [], "type": [] }, "uuid": "94b4f63b-48c9-4f43-b145-c967f173d87d", "value": "SolidBit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat", "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs", "https://blogs.blackberry.com/en/2021/05/threat-thursday-sombrat-always-leave-yourself-a-backdoor" ], "synonyms": [], "type": [] }, "uuid": "2b2cffc5-bf6e-4636-a906-829c32115655", "value": "SombRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.somnia", "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65" ], "synonyms": [], "type": [] }, "uuid": "907ed2ce-5407-4e4d-9b1a-596d5489b008", "value": "Somnia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorano", "https://3xp0rt.xyz/lpmkikVic", "https://github.com/Alexuiop1337/SoranoStealer", "https://github.com/3xp0rt/SoranoStealer" ], "synonyms": [], "type": [] }, "uuid": "897985dc-6b3e-4d92-bbe4-c4902194cdcc", "value": "Sorano" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper" ], "synonyms": [], "type": [] }, "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", "value": "soraya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorefang", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "0068e2fe-0d13-4073-be73-90118b1d285a", "value": "SoreFang" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", "value": "Sorgu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soul", "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/", "https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware" ], "synonyms": [ "SoulSearcher" ], "type": [] }, "uuid": "f7e3b124-ad70-4456-9aff-3ec501e8c42d", "value": "Soul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://attack.mitre.org/wiki/Software/S0157", "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf" ], "synonyms": [ "denis" ], "type": [] }, "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "value": "SOUNDBITE" }, { "description": "According to ESET, Spacecolon is a collection of malware written in Delphi, consisting of ScRansom, ScHackTool, ScInstaller, ScService, and ScPatcher.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spacecolon", "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/" ], "synonyms": [], "type": [] }, "uuid": "be9addb2-2caf-476c-8d50-c9803d997af6", "value": "SpaceColon" }, { "description": "SPACESHIP searches for files with a specified set of file extensions and copies them to\r\na removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,\r\nwhich could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is\r\nthen used to steal documents from the air-gapped system, copying them to a removable drive inserted\r\ninto the SPACESHIP-infected system", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship", "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "813e2761-6d68-493f-846b-2fc86d2e8079", "value": "SPACESHIP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east" ], "synonyms": [], "type": [] }, "uuid": "3c676c22-8041-4cf6-8291-1bb9372e2d45", "value": "Spark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparkle", "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html" ], "synonyms": [], "type": [] }, "uuid": "339c60f6-8758-4d32-aa33-b0d722e924bb", "value": "Sparkle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparksrv", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan" ], "synonyms": [], "type": [] }, "uuid": "1937c3e0-569d-4eb4-b769-ae5d9cc27755", "value": "Sparksrv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat", "https://asec.ahnlab.com/ko/56715/", "https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/", "https://blog.exatrack.com/melofee/", "https://asec.ahnlab.com/en/52899/", "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/", "https://github.com/XZB-1248/Spark" ], "synonyms": [], "type": [] }, "uuid": "55c6dce3-650b-4f67-8b47-5f6cd0acb72c", "value": "SparkRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door", "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/", "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf", "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/" ], "synonyms": [], "type": [] }, "uuid": "412a1b1b-77b1-4149-b7bd-14a43aa40dda", "value": "SparrowDoor" }, { "description": "Spartacus is ransomware written in .NET and emerged in the first half of 2018. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spartacus", "https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html" ], "synonyms": [], "type": [] }, "uuid": "e4dce19f-bb8e-4ea1-b771-58b162946f29", "value": "Spartacus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spearal", "https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/" ], "synonyms": [], "type": [] }, "uuid": "d386150b-4be2-4541-ae70-5a6cf227f119", "value": "Spereal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spectralviper", "https://www.elastic.co/fr/security-labs/elastic-charms-spectralviper" ], "synonyms": [], "type": [] }, "uuid": "4f9ee4dc-725e-4a8e-8c10-a013f6949b2d", "value": "SPECTRALVIPER" }, { "description": "Mixed RAT and Botnet malware sold in underground forums. In march 2021 it was advertised with the Spectre 2.0, it reached version 3 in June 2021 and then quickly version 4. This crimeware tool was being abused in malicious campaigns targeting European users in September 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spectre", "https://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247", "https://yoroi.company/research/spectre-v4-0-the-speed-of-malware-threats-after-the-pandemics/" ], "synonyms": [], "type": [] }, "uuid": "0d0935cc-d98f-4a0e-8e13-f36358e974b4", "value": "Spectre Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", "value": "Spedear" }, { "description": "According to Trend Micro, this is a tool designed to disable security products, adopting two approaches to achieve this purpose. One approach terminates the security product process by using a vulnerable driver, zamguard64.sys, published by Zemana (vulnerability designated as CVE-2018-5713). Meanwhile, another approach disables process launching by using a new technique that they named stack rumbling.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sphijacker", "https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html" ], "synonyms": [], "type": [] }, "uuid": "24541e4c-27b3-4a80-9dca-972f9825d36b", "value": "SPHijacker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spica", "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" ], "synonyms": [], "type": [] }, "uuid": "e974faa2-107b-4a63-b10f-7b5936bf263f", "value": "SPICA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spicyhotpot", "https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/" ], "synonyms": [], "type": [] }, "uuid": "dfbe088e-dd6d-4bad-8e2b-7a4162034da4", "value": "Spicy Hot Pot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf", "https://twitter.com/nahamike01/status/1471496800582664193?s=20", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" ], "synonyms": [], "type": [] }, "uuid": "70d271b7-2dcc-4b4f-94a5-9ea4b2165510", "value": "SPIDERPIG RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.splitloader", "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "synonyms": [], "type": [] }, "uuid": "dda86498-6a45-47c5-b9e4-0816c31765f5", "value": "splitloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", "http://malware-traffic-analysis.net/2017/01/17/index2.html", "https://github.com/MinervaLabsResearch/SporaVaccination", "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware" ], "synonyms": [], "type": [] }, "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", "value": "Spora" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" ], "synonyms": [], "type": [] }, "uuid": "34e9d701-22a1-4315-891d-443edd077abf", "value": "SpyBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder", "https://www.youtube.com/watch?v=-7Swd1ZetiQ", "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://vms.drweb.com/virus/?i=23648386", "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "bcee00e4-5316-45ad-8811-33c50b9394f8", "value": "Spyder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder_patchwork", "https://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/", "https://mp.weixin.qq.com/s/ewGyvlmWUD45XTVsoxeVpg" ], "synonyms": [], "type": [] }, "uuid": "d16712eb-7f4c-4810-aadd-18db9036ec17", "value": "Spyder Patchwork" }, { "description": "SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the \"The Next Zeus Malware\". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye", "https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/", "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html", "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393", "https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/", "https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/", "http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html" ], "synonyms": [], "type": [] }, "uuid": "814fa0b7-0468-4ed0-b910-2b3caec96d44", "value": "SpyEye" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squidloader", "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/DoomedLoader.yar", "https://cybersecurity.att.com/blogs/labs-research/highly-evasive-squidloader-targets-chinese-organizations" ], "synonyms": [], "type": [] }, "uuid": "e9a3bc19-e7e7-4cce-8dd1-8b59e87b9522", "value": "SquidLoader" }, { "description": "According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle", "https://redcanary.com/blog/intelligence-insights-december-2021", "https://security-soup.net/squirrelwaffle-maldoc-analysis/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader", "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan", "https://www.malware-traffic-analysis.net/2021/09/17/index.html", "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", "https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/", "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", "https://www.youtube.com/watch?v=9X2P7aFKSw0", "https://twitter.com/Max_Mal_/status/1442496131410190339", "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", "https://twitter.com/jhencinski/status/1464268732096815105", "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/", "https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/", "https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/", "https://www.cynet.com/understanding-squirrelwaffle/", "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html" ], "synonyms": [ "DatopLoader" ], "type": [] }, "uuid": "cdbfd973-fa96-4e64-b2a3-9d51460fd7af", "value": "Squirrelwaffle" }, { "description": "According to PaloAlto, SquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and capabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" ], "synonyms": [], "type": [] }, "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", "value": "SquirtDanger" }, { "description": "sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.srdi", "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://github.com/monoxgas/sRDI", "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/", "https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight", "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" ], "synonyms": [ "DAVESHELL" ], "type": [] }, "uuid": "90ee25aa-89a8-4d70-a4d8-aee44561a146", "value": "sRDI" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sshnet", "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/", "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf" ], "synonyms": [], "type": [] }, "uuid": "7e0667e8-67fd-4b5f-a3e4-3ced4dcaac1e", "value": "SSHNET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [], "type": [] }, "uuid": "009db412-762d-4256-8df9-eb213be01ffd", "value": "SslMM" }, { "description": "SSLoad is a Rust-based downloader that first emerged in January 2024 and is used to deliver secondary payloads. Early versions of the malware used a first-stage DLL that connected to a Telegram channel named 'SSLoad' to retrieve another URL. It then downloaded a compressed PE file using a hardcoded User-Agent (SSLoad/1.x) and Content-Type over HTTP. The downloaded file was then decompressed and executed directly in memory. The malware has since undergone several updates, including changes to the command-and-control (C2) communication and the supporting executables that load the malware. Recent versions of the malware bypass the first-stage DLL by loading SSLoad directly onto the victim's machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload", "https://www.linkedin.com/feed/update/urn:li:activity:7185786751922192384/", "https://infosec.exchange/@spamhaus/113402246487904714", "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt" ], "synonyms": [], "type": [] }, "uuid": "4eaafa4a-34a5-42f5-8f77-debb51b1e460", "value": "SSLoad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers", "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html" ], "synonyms": [], "type": [] }, "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", "value": "Stabuniq" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stalin_locker", "https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/" ], "synonyms": [ "StalinScreamer" ], "type": [] }, "uuid": "8c38460b-fcfd-434e-b258-875854c6aff6", "value": "StalinLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" ], "synonyms": [], "type": [] }, "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", "value": "Stampedo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", "https://securelist.com/operation-daybreak/75100/" ], "synonyms": [], "type": [] }, "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", "value": "StarCruft" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", "value": "StarLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", "value": "StarsyPound" }, { "description": "Potentially unwanted program that changes the startpage of browsers to induce ad impressions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage", "https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page" ], "synonyms": [ "Easy Television Access Now" ], "type": [] }, "uuid": "033dbef5-eb51-4f7b-87e6-6dc4bef72841", "value": "StartPage" }, { "description": "Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog", "https://twitter.com/ESETresearch/status/1433819369784610828", "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive" ], "synonyms": [], "type": [] }, "uuid": "4a844c8c-996c-4562-bed4-0496d7838157", "value": "STASHLOG" }, { "description": "This is a stealer used by LockBit 2.0.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit", "https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis", "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", "https://twitter.com/r3c0nst/status/1425875923606310913", "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", "https://securelist.com/new-ransomware-trends-in-2022/106457/" ], "synonyms": [ "Corrempa" ], "type": [] }, "uuid": "b98c86d4-1eee-490e-a6f9-e9559322fec8", "value": "StealBit" }, { "description": "Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.\r\n\r\nStealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc", "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/", "https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets", "https://www.vmray.com/cyber-security-blog/stealc-a-new-stealer-emerges-in-2023/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_string_decryption.py", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af", "https://www.youtube.com/watch?v=-1nVs-O1ubw", "https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/StealC/StealC_Technical_Analysis_Report.pdf", "https://securelist.com/tusk-infostealers-campaign/113367/", "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb", "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/", "https://glyc3rius.github.io/2023/10/stealc/", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware" ], "synonyms": [], "type": [] }, "uuid": "58a2c661-470e-438d-bea3-bff1ed987ed2", "value": "Stealc" }, { "description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor’s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium", "https://github.com/Stealerium/Stealerium", "https://resources.securityscorecard.com/research/stealerium-detailed-analysis" ], "synonyms": [], "type": [] }, "uuid": "bf71f246-7382-486d-996d-c2b7aa8cf89b", "value": "Stealerium" }, { "description": "According to PTSecurity, this stealer harvests system information which is then RC4 encrypted and Base64 encoded before sending it to the C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealer_0x3401", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks" ], "synonyms": [], "type": [] }, "uuid": "b30b8058-45d9-45aa-8a1f-c6abc78edef8", "value": "Stealer0x3401" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealhook", "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html", "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html" ], "synonyms": [], "type": [] }, "uuid": "8bc60b62-05f0-44bc-8edc-cbdcafe242d0", "value": "STEALHOOK" }, { "description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", "https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" ], "synonyms": [], "type": [] }, "uuid": "d1c5a299-c072-44b5-be31-d03853bca5ea", "value": "StealthWorker Go" }, { "description": "Check Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor. Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealth_soldier", "https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/" ], "synonyms": [], "type": [] }, "uuid": "07a24653-0f0b-49cf-944d-b4686b7e48d0", "value": "Stealth Soldier" }, { "description": "Malware written in .NET that hides in Steam profile pictures. Tries to evade virtualization through detection if it is executed within VMWare or VirtualBox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.steamhide", "https://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images", "https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images" ], "synonyms": [], "type": [] }, "uuid": "4729fb59-44a8-4d2f-9914-cd93fc528888", "value": "SteamHide" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" ], "synonyms": [], "type": [] }, "uuid": "aea21616-061d-4177-9512-8887853394ed", "value": "StegoLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" ], "synonyms": [], "type": [] }, "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", "value": "Stinger" }, { "description": "According to Mandiant, STONEBOAT is an installer for DICELOADER. It is written in .NET and drops its payload in-memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stoneboat", "https://www.mandiant.com/resources/blog/evolution-of-fin7" ], "synonyms": [], "type": [] }, "uuid": "c4286ab0-748a-4473-b4a6-ac4426f73393", "value": "STONEBOAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stonedrill", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [], "type": [] }, "uuid": "0c5bc5c8-5136-413a-bc5a-e13333271f49", "value": "StoneDrill" }, { "description": "STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://glyc3rius.github.io/2024/02/stop/", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", "https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view", "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", "https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list", "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://intel471.com/blog/privateloader-malware", "https://securelist.com/keypass-ransomware/87412/", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://any.run/cybersecurity-blog/crackedcantil-breakdown/", "https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b", "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://www.gdatasoftware.com/blog/2022/01/malware-vaccines", "https://angle.ankura.com/post/102het9/the-stop-ransomware-variant" ], "synonyms": [ "Djvu", "KeyPass" ], "type": [] }, "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", "value": "STOP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stormwind", "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/" ], "synonyms": [], "type": [] }, "uuid": "98d5a891-f4dd-4c87-a019-1f1e7ab59301", "value": "Stormwind" }, { "description": "According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/ph4ntonn/Stowaway", "https://blog.exatrack.com/melofee/" ], "synonyms": [], "type": [] }, "uuid": "cd187108-c557-42f8-8e48-1993abb37720", "value": "STOWAWAY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" ], "synonyms": [], "type": [] }, "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", "value": "Stration" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stratofear", "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "synonyms": [], "type": [] }, "uuid": "a968a42e-4162-46db-a96e-2a45927d1cd7", "value": "STRATOFEAR" }, { "description": "According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.\r\n\r\nFollowing successful infiltration, StrelaStealer searches for \"logins.json\" (account/password) and \"key4.db\" (password database) within the \"%APPDATA%\\Thunderbird\\Profiles\\\" directory - by doing so, it can acquire the credentials for Thunderbird.\r\n\r\nAlternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and \"IMAP User\", \"IMAP Server\", as well as the \"IMAP Password\" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer", "https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/", "https://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html", "https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc", "https://unit42.paloaltonetworks.com/strelastealer-campaign/", "https://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/", "https://cert-agid.gov.it/news/analisi-tecnica-e-considerazioni-sul-malware-strela/" ], "synonyms": [], "type": [] }, "uuid": "17f84079-56b8-4be5-bc59-75c8526b0ce0", "value": "StrelaStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/", "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/", "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/" ], "synonyms": [], "type": [] }, "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", "value": "Stresspaint" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat", "https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff", "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations", "https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/", "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "synonyms": [], "type": [] }, "uuid": "5627aff2-7e1d-4b11-81f5-33cd7febdd76", "value": "StrifeWater RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strikesuit_gift", "https://assets.stairwell.com/hubfs/Marketing-Assets/Stairwell-threat-report-The-origin-of-APT32-macros.pdf", "https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/" ], "synonyms": [], "type": [] }, "uuid": "ec2a5a29-a142-447c-85b9-ec47e78f9cb2", "value": "StrikeSuit Gift" }, { "description": "According to Mitre, StrongPity is an information stealing malware used by PROMETHIUM.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/", "https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation", "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/", "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/", "https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara", "https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA", "https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4", "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blogs.blackberry.com/en/2021/11/zebra2104", "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", "https://twitter.com/physicaldrive0/status/786293008278970368" ], "synonyms": [], "type": [] }, "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", "value": "StrongPity" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147", "https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet", "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/" ], "synonyms": [], "type": [] }, "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", "value": "Stuxnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.subzero", "https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf", "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/", "https://socradar.io/threats-of-commercialized-malware-knotweed/", "https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html" ], "synonyms": [ "Corelump", "Jumplump" ], "type": [] }, "uuid": "72fb9dd2-33bf-4620-bf03-92630d7da101", "value": "Subzero" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suceful", "https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "efe586da-a272-4898-9ebb-587f8f5a23ca", "value": "SUCEFUL" }, { "description": "Ransomware, written in Delphi.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sugar", "https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49", "https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb", "https://cyware.com/news/newly-found-sugar-ransomware-is-now-being-offered-as-raas-641cfa69" ], "synonyms": [], "type": [] }, "uuid": "ea7d0457-3625-4224-aed4-739a360b10d3", "value": "Sugar" }, { "description": "According to Mandiant, SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers. There are also versions to exfiltrate data via SMTP and HTTP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sugardump", "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "synonyms": [], "type": [] }, "uuid": "655c3dbb-8d2c-4613-8722-ec12b24d5956", "value": "SUGARDUMP" }, { "description": "According to Mandiant, SUGARUSH is a backdoor written to establish a connection with an embedded C2 and to execute CMD commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sugarrush", "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "synonyms": [], "type": [] }, "uuid": "129163aa-8539-40ee-a627-0ac6775697b5", "value": "SUGARRUSH" }, { "description": "FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/", "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst", "https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/", "https://us-cert.cisa.gov/ncas/alerts/aa20-352a", "https://www.mandiant.com/resources/unc2452-merged-into-apt29", "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610", "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth", "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947", "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug", "https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/", "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/", "https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf", "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update", "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/", "https://netresec.com/?b=212a6ad", "https://www.youtube.com/watch?v=dV2QTLSecpc", "https://twitter.com/cybercdh/status/1338975171093336067", "https://www.fireeye.com/current-threats/sunburst-malware.html", "https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/", "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/", "https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html", "https://www.brighttalk.com/webcast/7451/462719", "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/", "https://netresec.com/?b=2113a6a", "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs", "https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/", "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/", "https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons", "https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/", "https://www.brighttalk.com/webcast/7451/469525", "https://www.youtube.com/watch?v=mbGN1xqy1jY", "https://twitter.com/cybercdh/status/1339241246024404994", "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/", "https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://twitter.com/lordx64/status/1338526166051934213", "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/", "https://twitter.com/Intel471Inc/status/1339233255741120513", "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q", "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga", "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign", "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/", "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html", "https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/", "https://www.cadosecurity.com/post/responding-to-solarigate", "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling", "https://youtu.be/SW8kVkwDOrc?t=24706", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.youtube.com/watch?v=-Vsgmw2G4Wo", "https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json", "https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software", "https://github.com/SentineLabs/SolarWinds_Countermeasures", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://twitter.com/megabeets_/status/1339308801112027138", "https://www.youtube.com/watch?v=GfbxHy6xnbA", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/", "https://netresec.com/?b=211cd21", "https://pastebin.com/6EDgCKxd", "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en", "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", "https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control", "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/", "https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation", "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://twitter.com/cybercdh/status/1338885244246765569", "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/", "https://www.solarwinds.com/securityadvisory", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a", "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html", "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718", "https://twitter.com/ItsReallyNick/status/1338382939835478016", "https://us-cert.cisa.gov/ncas/alerts/aa21-077a", "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha", "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html", "https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/", "https://www.mimecast.com/blog/important-security-update/", "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/", "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/", "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance", "https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data", "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/", "https://securelist.com/sunburst-backdoor-kazuar/99981/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095", "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.mimecast.com/incident-report/", "https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/", "https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities", "https://github.com/cisagov/CHIRP", "https://github.com/fireeye/Mandiant-Azure-AD-Investigator", "https://github.com/sophos-cybersecurity/solarwinds-threathunt", "https://www.4hou.com/posts/KzZR", "https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection", "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar", "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident", "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306", "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", "https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure", "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html", "https://community.riskiq.com/article/9a515637", "https://netresec.com/?b=211f30f", "https://github.com/fireeye/sunburst_countermeasures", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", "https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html", "https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#", "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html", "https://unit42.paloaltonetworks.com/atoms/solarphoenix/", "https://github.com/RedDrip7/SunBurst_DGA_Decode", "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards", "https://twitter.com/0xrb/status/1339199268146442241", "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/", "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution", "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf", "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/", "https://www.mandiant.com/media/10916/download", "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", "https://www.cisa.gov/supply-chain-compromise", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS", "https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/", "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view", "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response", "https://us-cert.cisa.gov/remediating-apt-compromised-networks", "https://www.youtube.com/watch?v=cMauHTV-lJg", "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", "https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/", "https://www.solarwinds.com/securityadvisory/faq", "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", "https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/", "https://twitter.com/FireEye/status/1339295983583244302", "https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a", "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html", "https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack", "https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm", "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/", "https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html", "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack", "https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack", "https://www.youtube.com/watch?v=JoMwrkijTZ8", "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf", "https://www.comae.com/posts/sunburst-memory-analysis/", "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", "https://twitter.com/KimZetter/status/1338305089597964290", "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection", "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc", "https://youtu.be/Ta_vatZ24Cs?t=59" ], "synonyms": [ "Solorigate" ], "type": [] }, "uuid": "34e50688-6955-4c28-8e18-50252e5ea711", "value": "SUNBURST" }, { "description": "According to PCrisk, Suncrypt ransomware prevents victims from accessing files by encryption. It also renames all encrypted files and creates a ransom message. It renames encrypted files by appending a string of random characters as the new extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/", "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022", "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc" ], "synonyms": [], "type": [] }, "uuid": "018fb88b-a3cd-46b7-adea-a5b85302715b", "value": "SunCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" ], "synonyms": [], "type": [] }, "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", "value": "SunOrcal" }, { "description": "According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunseed", "https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware", "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails" ], "synonyms": [], "type": [] }, "uuid": "a89f7e01-b049-4d09-aca3-ce19d91c4544", "value": "SunSeed" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.superbear", "https://0x0v1.com/posts/superbear/superbear/" ], "synonyms": [], "type": [] }, "uuid": "a6ca0a04-359d-4f7a-b556-46b33ec75473", "value": "SuperBear RAT" }, { "description": "According to CISA, SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/fireeye/sunburst_countermeasures", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://unit42.paloaltonetworks.com/solarstorm-supernova", "https://unit42.paloaltonetworks.com/solarstorm-supernova/", "https://www.anquanke.com/post/id/226029", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", "https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis", "https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/fireeye/sunburst_countermeasures/pull/5", "https://twitter.com/MalwareRE/status/1342888881373503488", "https://www.solarwinds.com/securityadvisory/faq", "https://www.youtube.com/watch?v=7WX5fCEzTlA", "https://www.cisa.gov/news-events/analysis-reports/ar21-112a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan", "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.solarwinds.com/securityadvisory" ], "synonyms": [], "type": [] }, "uuid": "62674a18-54c6-4c57-84cc-ea6a3bb2d6d6", "value": "SUPERNOVA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox", "https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us", "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", "https://blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured/", "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim", "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", "https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf" ], "synonyms": [ "Bayrob", "Nivdort", "pizd" ], "type": [] }, "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", "value": "SuppoBox" }, { "description": "According to PCrisk, Surtr is ransomware. Malware of this type encrypts files (and renames them) and generates a ransom note. Surtr appends the decryptmydata@mailfence.com email address and the \".SURT\" extension to filenames.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.surtr", "https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/" ], "synonyms": [], "type": [] }, "uuid": "8666afcc-8cc2-4856-83de-b7e8b4309367", "value": "surtr" }, { "description": "According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer, BIOS, and firmware. Also, it gathers lists of running processes and installed software. SVCReady sends collected data to the C2 server. Additionally, SVCReady attempts to maintain its foothold on the system by creating a scheduled task.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/" ], "synonyms": [], "type": [] }, "uuid": "20157c10-2a5f-49d9-baf5-d350fb65c06e", "value": "SVCReady" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sweetspecter", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" ], "synonyms": [], "type": [] }, "uuid": "5ba81060-0eba-4811-b1cb-6b21edd7ed5b", "value": "SweetSpecter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swen", "https://en.wikipedia.org/wiki/Swen_(computer_worm)" ], "synonyms": [], "type": [] }, "uuid": "63657a3b-1f8f-422d-80de-fe4644f5d7ba", "value": "swen" }, { "description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swiftslicer", "https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf" ], "synonyms": [ "JaguarBlade" ], "type": [] }, "uuid": "dba43d45-053f-4225-b813-ff7727b2b7d2", "value": "SwiftSlicer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", "value": "Sword" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-edison", "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", "https://www.symantec.com/connect/blogs/sykipot-attacks", "https://community.rsa.com/thread/185437", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/" ], "synonyms": [ "Wkysol", "getkys" ], "type": [] }, "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", "value": "sykipot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", "https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/", "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" ], "synonyms": [], "type": [] }, "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", "value": "SynAck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" ], "synonyms": [], "type": [] }, "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", "value": "SyncCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", "value": "SynFlooder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" ], "synonyms": [], "type": [] }, "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", "value": "Synth Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [], "type": [] }, "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", "value": "Sys10" }, { "description": "SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/", "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" ], "synonyms": [], "type": [] }, "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", "value": "Syscon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" ], "synonyms": [], "type": [] }, "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", "value": "SysGet" }, { "description": "Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker", "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html", "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/", "https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/" ], "synonyms": [], "type": [] }, "uuid": "16387289-9064-4ae9-8493-0a3623cdfd9a", "value": "SysJoker (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit", "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", "https://twitter.com/QW5kcmV3/status/1176861114535165952", "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" ], "synonyms": [ "IvizTech", "MANGOPUNCH" ], "type": [] }, "uuid": "4922f27b-a97c-4d6b-9425-1705f4716ee0", "value": "SysKit" }, { "description": "Sysraw stealer got its name because at some point, it was started as \"ZSysRaw\\sysraw.exe\". PDB strings suggest the name \"Clipsa\" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named \"1?[-+].dat\" and POSTs them.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer", "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/", "https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/" ], "synonyms": [ "Clipsa" ], "type": [] }, "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", "value": "Sysraw Stealer" }, { "description": "Sysrv is a Golang written Cryptojacking malware. There are Windows and Linux variants.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysrv_hello", "https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/", "https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet" ], "synonyms": [], "type": [] }, "uuid": "cabc5944-195e-4939-a00f-a3cd6758f308", "value": "Sysrv-hello (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" ], "synonyms": [], "type": [] }, "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", "value": "SysScan" }, { "description": "SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.\r\n\r\nSystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc", "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://www.reliaquest.com/blog/gootloader-infection-credential-access/", "https://docs.velociraptor.app/exchange/artifacts/pages/systembc/", "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/", "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://www.bitsight.com/blog/emotet-botnet-rises-again", "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/The%20Swiss%20Knife%20-%20SystemBC%20%7C%20Coroxy/The%20Swiss%20Knife-SystemBC_EN.pdf", "https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/", "https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/", "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", "https://community.riskiq.com/article/47766fbd", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", "https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", "https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/", "https://securelist.com/focus-on-droxidat-systembc/110302/", "https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", "https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem", "https://asec.ahnlab.com/en/33600/", "https://news.sophos.com/en-us/2020/12/16/systembc/", "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders" ], "synonyms": [ "Coroxy", "DroxiDat" ], "type": [] }, "uuid": "cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa", "value": "SystemBC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.secureworks.com/research/srizbi", "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel" ], "synonyms": [ "Srizbi" ], "type": [] }, "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", "value": "Szribi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.t34loader", "https://urlhaus.abuse.ch/browse/tag/T34loader/" ], "synonyms": [], "type": [] }, "uuid": "fe3abd7c-97d6-42b9-b556-057e5588b550", "value": "T34loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", "value": "TabMsgSQL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat", "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" ], "synonyms": [ "simbot" ], "type": [] }, "uuid": "94323b32-9566-450b-8480-5f9f53b57948", "value": "taidoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taintedscribe", "https://blog.reversinglabs.com/blog/hidden-cobra", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133b" ], "synonyms": [], "type": [] }, "uuid": "014940fb-6e31-408a-962f-71914d0eb2f5", "value": "TAINTEDSCRIBE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" ], "synonyms": [], "type": [] }, "uuid": "b0467c03-824f-4071-8668-f056110d2a50", "value": "Taleret" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" ], "synonyms": [], "type": [] }, "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", "value": "Tandfuy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux" ], "synonyms": [], "type": [] }, "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", "value": "Tapaoux" }, { "description": "This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to mid-June 2021. The extension of the encrypted files are set to the compromised company: .\r\nA decryptor was released on 2022-02-07 by AVAST", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.targetcompany", "https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/", "https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html", "https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/", "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/", "https://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back", "https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/", "https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/", "https://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware", "https://labs.k7computing.com/index.php/mallox-evading-amsi/", "https://asec.ahnlab.com/en/39152/", "https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html", "https://unit42.paloaltonetworks.com/mallox-ransomware/", "https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html" ], "synonyms": [ "Fargo", "Mallox", "Tohnichi" ], "type": [] }, "uuid": "77af876d-84c5-4da3-a2b0-2fe5c77f758c", "value": "TargetCompany" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", "value": "Tarsip" }, { "description": "According to Zscaler, Taurus is a stealer that surfaced in June 2020. It is being developed by the author(s) that previously created Predator the Thief. The name overlaps partly with the StealerOne / Terra* family (also aliased Taurus Loader) but appears to be a completely disjunct project.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/an-in-depth-analysis-of-the-new-taurus-stealer/", "https://blog.minerva-labs.com/taurus-stealers-evolution", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/", "https://www.zscaler.com/blogs/research/taurus-new-stealer-town", "https://outpost24.com/blog/an-in-depth-analysis-of-the-new-taurus-stealer/" ], "synonyms": [], "type": [] }, "uuid": "68b89458-f78e-41b3-b0ee-c193aaa948f9", "value": "Taurus Stealer" }, { "description": "Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication and uses wolfSSL, which makes it stick out.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient", "https://twitter.com/stvemillertime/status/1266050369370677249" ], "synonyms": [ "FIRESHADOW" ], "type": [] }, "uuid": "fc551237-8db7-4cfd-a915-9e8410abb313", "value": "TClient" }, { "description": "F-Secure described tDiscoverer (also known as HammerDuke) as interesting because it is written in .NET, and even more so because of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands, but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date. If the account exists, HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", "https://securityintelligence.com/hammertoss-what-me-worry/", "https://www.youtube.com/watch?v=UE9suwyuic8" ], "synonyms": [ "HAMMERTOSS", "HammerDuke" ], "type": [] }, "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", "value": "tDiscoverer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", "http://www.clearskysec.com/tulip/" ], "synonyms": [], "type": [] }, "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy", "https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent", "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging", "https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer" ], "synonyms": [ "TVRAT", "TVSPY", "TeamViewerENT" ], "type": [] }, "uuid": "9a82b6f6-2fdf-47bc-af05-cf7ce225fc96", "value": "TeamSpy" }, { "description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop", "https://github.com/fireeye/sunburst_countermeasures", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://unit42.paloaltonetworks.com/atoms/solarphoenix/", "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", "https://www.mandiant.com/resources/unc2452-merged-into-apt29", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", "https://twitter.com/TheEnergyStory/status/1342041055563313152", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", "https://www.youtube.com/watch?v=GfbxHy6xnbA", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://twitter.com/craiu/status/1339954817247158272", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.brighttalk.com/webcast/7451/462719", "https://twitter.com/TheEnergyStory/status/1346096298311741440", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more" ], "synonyms": [], "type": [] }, "uuid": "efa01fef-7faf-4bb2-8630-b3a237df882a", "value": "TEARDROP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal", "https://twitter.com/WDSecurity/status/1105990738993504256" ], "synonyms": [], "type": [] }, "uuid": "aaa05037-aee1-4353-ace1-43ae0f558091", "value": "TefoSteal" }, { "description": "According to Check Point, this is a Telegram-focused infostealer (FTP / Delphi) used to target Iranian expats and dissidents.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telandext", "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" ], "synonyms": [], "type": [] }, "uuid": "b2b5a816-2268-4cb8-9958-491356c452ec", "value": "TelAndExt" }, { "description": "According to Check Point, this is a Telegram-focused infostealer (SOAP / Delphi) used to target Iranian expats and dissidents.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telb", "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" ], "synonyms": [], "type": [] }, "uuid": "daf2f70b-205e-4b39-89a6-d382ded4c33c", "value": "TelB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", "https://www.secureworks.com/research/threat-profiles/iron-viking", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", "value": "TeleBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/", "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" ], "synonyms": [], "type": [] }, "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", "value": "TeleDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telegram_grabber", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html" ], "synonyms": [], "type": [] }, "uuid": "48352761-a92f-43b4-931d-249ac9eae8b2", "value": "TelegramGrabber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telemiris", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [], "type": [] }, "uuid": "f39400a3-3b27-4dc6-bccd-aa277ca99f28", "value": "Telemiris" }, { "description": "Cisco Talos reports that this is a data exfiltration tool used by TA505.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teleport", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/" ], "synonyms": [], "type": [] }, "uuid": "b6a2a1ea-6cdb-4cbd-a9a6-539c7db1c6de", "value": "Teleport" }, { "description": "According to PCrisk, Tellyouthepass is one of many ransomware-type programs used to block access to files by encryption and keep them in this state unless a ransom is paid.\r\n\r\nThe program renames all encrypted files by adding the \".locked\" extension and creates a ransom message in a text file called \"README.html\". For example, \"1.jpg\" is renamed by Tellyouthepass to \"1.jpg.locked\".\r\n\r\nAccording to cyber criminals, this ransomware encrypts data using RSA-1024 and AES-256 cryptography algorithms.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass", "https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks" ], "synonyms": [], "type": [] }, "uuid": "fa1dbbef-c2b0-44a2-8457-764dfc99be17", "value": "TellYouThePass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" ], "synonyms": [], "type": [] }, "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", "value": "Tempedreve" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.templedoor", "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks" ], "synonyms": [], "type": [] }, "uuid": "13df1034-baf2-4214-81a9-283f6219356c", "value": "TEMPLEDOOR" }, { "description": "According to Cyble, this is a stealer targeting several crypto currency wallets along browser data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.temp_stealer", "https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/" ], "synonyms": [], "type": [] }, "uuid": "a27b7e55-6036-4c4a-96b2-0a99df878fe0", "value": "TempStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf", "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf" ], "synonyms": [ "Fakem RAT" ], "type": [] }, "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", "value": "Terminator RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "https://www.mandiant.com/resources/evolution-of-fin7", "https://www.alienvault.com/blogs/labs-research/internet-of-termites" ], "synonyms": [], "type": [] }, "uuid": "c0801a29-ecc4-449b-9a1b-9d2dbde1995d", "value": "Termite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terrapreter", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://www.esentire.com/web-native-pages/unmasking-venom-spider", "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire" ], "synonyms": [], "type": [] }, "uuid": "8036e023-c765-4bd6-828f-1c8d20987843", "value": "TerraPreter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader", "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-", "https://www.esentire.com/web-native-pages/unmasking-venom-spider", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", "https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244" ], "synonyms": [], "type": [] }, "uuid": "ddfda5dc-a416-4cf3-b734-6aa083aa9e04", "value": "TerraLoader" }, { "description": "According to QuoINT TerraRecon is a reconnaissance tool, looking for a specific piece of hardware and software targeting retail and payment services sectors. Attributed to Golden Chickens.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_recon", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Taurus Loader Reconnaissance Module" ], "type": [] }, "uuid": "d8efa615-87bf-4477-8261-316215c0b637", "value": "TerraRecon" }, { "description": "According to QuoINT, TerraStealer (also known as SONE or StealerOne) is a generic reconnaissance tool, targeting for example email clients, web browsers, and file transfer utilities. Attributed to Golden Chickens.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://twitter.com/3xp0rtblog/status/1275746149719252992", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "SONE", "StealerOne", "Taurus Loader Stealer Module" ], "type": [] }, "uuid": "d5c9a697-c7bf-4e13-8c2e-c74465e77208", "value": "TerraStealer" }, { "description": "TerraTV is a custom DLL designed to hijack legit TeamViewer applications. It was discovered and documented by QuoINT. It has been attributed to Golden Chickens malware as a service group.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://blog.minerva-labs.com/taurus-user-guided-infection", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Taurus Loader TeamViewer Module" ], "type": [] }, "uuid": "0597af12-88d2-4289-a154-191774e3f48d", "value": "TerraTV" }, { "description": "According to Kaspersky, detected in February 2015, the new ransomware Trojan gained immediate notoriety as a menace to computer gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB. Recently,", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", "https://blogs.cisco.com/security/talos/teslacrypt", "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack", "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", "https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/", "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", "https://community.riskiq.com/article/30f22a00" ], "synonyms": [ "cryptesla" ], "type": [] }, "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", "value": "TeslaCrypt" }, { "description": "TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker \"*tflower\" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower", "https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/", "https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign", "https://www.sygnia.co/mata-framework" ], "synonyms": [], "type": [] }, "uuid": "bd5d0ff1-7bd1-4f8d-bf66-4d02f8e68dd2", "value": "TFlower" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" ], "synonyms": [ "Alphabot" ], "type": [] }, "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", "value": "Thanatos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/" ], "synonyms": [], "type": [] }, "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", "value": "Thanatos Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thinmon", "https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg" ], "synonyms": [], "type": [] }, "uuid": "a416e88b-8fc0-41a9-bb2e-13cbcc5f22b0", "value": "ThinMon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", "value": "ThreeByte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", "value": "ThumbThief" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", "https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html", "https://www.ic3.gov/Media/News/2021/211026.pdf" ], "synonyms": [ "Ranzy Locker" ], "type": [] }, "uuid": "e4be8d83-748e-46df-8dd7-0ce1b2255f36", "value": "ThunderX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" ], "synonyms": [], "type": [] }, "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", "value": "Thunker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/" ], "synonyms": [], "type": [] }, "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", "value": "Tidepool" }, { "description": "TigerLite is a TCP downloader.\r\n\r\nIt creates mutexes like \"qtrgads32\" or \"Microsoft32\".\r\n\r\nIt uses RC4 with the key \"MicrosoftCorporationValidation@#$%^&*()!US\" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic. \r\n\r\nIt supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.\r\n\r\nTigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tigerlite", "https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf", "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", "https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat", "https://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families", "https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/" ], "synonyms": [], "type": [] }, "uuid": "1fcd1afe-31ed-40c2-9262-6a6afe2a43e9", "value": "TigerLite" }, { "description": "This is third stage backdoor mentioned in the Kaspersky blog, \"Andariel evolves to target South Korea with ransomware\". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.\r\nThe backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat", "https://asec.ahnlab.com/en/56405/", "https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html", "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html", "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", "https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf", "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families", "https://asec.ahnlab.com/ko/56256/", "https://www.brighttalk.com/webcast/18282/493986", "https://asec.ahnlab.com/ko/58215/", "https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf", "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf" ], "synonyms": [], "type": [] }, "uuid": "57c0d7b4-f46b-44bf-9430-75ac7d3cf2df", "value": "Tiger RAT" }, { "description": "Standalone implant. Potentially tied to a framework called PATROLWAGON.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tildeb", "https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf" ], "synonyms": [], "type": [] }, "uuid": "8e846ea0-a46d-47c9-96e9-1cdefd49a846", "value": "tildeb" }, { "description": "F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.\r\n\r\nIf Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.\r\n\r\nTinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan", "http://contagiodump.blogspot.com/2012/06/amazon.html", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "http://garage4hackers.com/entry.php?b=3086", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf" ], "synonyms": [ "Illi", "TinyBanker", "Zusy" ], "type": [] }, "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", "value": "Tinba" }, { "description": "TinyFluff is a dropper developed by the OldGremlin group. In one of their March '22 campaigns, TinyFluff included a JavaScript RAT with a time-independent DGA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyfluff", "https://www.group-ib.com/blog/oldgremlin-comeback/" ], "synonyms": [], "type": [] }, "uuid": "e044c397-8491-466b-adb7-2deead4d9eb6", "value": "TinyFluff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", "https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", "value": "TinyLoader" }, { "description": "TinyMet is a meterpreter stager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/", "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://twitter.com/VK_Intel/status/1273292957429510150", "https://github.com/SherifEldeeb/TinyMet" ], "synonyms": [ "TiniMet" ], "type": [] }, "uuid": "075c6fa0-e670-4fe1-be8b-b8b13714cb58", "value": "TinyMet" }, { "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", "https://asec.ahnlab.com/en/27346/", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", "https://asec.ahnlab.com/en/32781/", "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", "https://krebsonsecurity.com/tag/nuclear-bot/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/" ], "synonyms": [ "MicroBankingTrojan", "Nuclear Bot", "NukeBot", "Xbot" ], "type": [] }, "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", "value": "TinyNuke" }, { "description": "Cisco Talos states that TinyTurla-NG is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyturla_ng", "https://blog.talosintelligence.com/tinyturla-next-generation/", "https://github.com/echocti/ECHO-Reports/blob/main/APT%20Reports/Turla/Turla%20Technical%20Analysis%20Report.pdf" ], "synonyms": [ "TTNG" ], "type": [] }, "uuid": "1b560d5a-1335-4a28-b50f-1d0a7bbbbf80", "value": "TinyTurlaNG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", "value": "TinyTyphon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" ], "synonyms": [], "type": [] }, "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", "value": "TinyZbot" }, { "description": "Talos describes this as a malware family with very scoped functionality and thus a small code footprint, likely used as a second chance backdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla", "https://infosec.exchange/@SophosXOps/111109357153515214", "https://blog.talosintelligence.com/2021/09/tinyturla.html", "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/" ], "synonyms": [], "type": [] }, "uuid": "e1fa6d45-4ac9-4ace-98a9-e21947f0e497", "value": "TinyTurla" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" ], "synonyms": [], "type": [] }, "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", "value": "Tiop" }, { "description": "The stealer is written in Go and capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.titan_stealer", "https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign", "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html", "https://github.com/D4NTESCODE/TitanStealerSource", "https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219" ], "synonyms": [], "type": [] }, "uuid": "0a98f387-885e-4ad4-b5ab-686f4c06dcf1", "value": "TitanStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger", "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop" ], "synonyms": [ "LuckyBack" ], "type": [] }, "uuid": "8d7108fe-65be-4853-945d-1d5376dbaa34", "value": "Tmanger" }, { "description": "According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.\r\n\r\nCyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet", "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/", "https://www.cert.pl/en/news/single/tofsee-en/", "https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/", "https://blog.talosintelligence.com/tofsee-spam/", "https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp", "https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", "https://intel471.com/blog/privateloader-malware", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" ], "synonyms": [ "Gheg" ], "type": [] }, "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tokyox", "https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact-part-2/", "https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact/" ], "synonyms": [], "type": [] }, "uuid": "ad23afb8-cfce-4e43-b73f-58ca20fa0afe", "value": "TokyoX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tomiris", "https://securelist.com/it-threat-evolution-q2-2023/110355/", "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [], "type": [] }, "uuid": "a5449893-ab06-419b-bb31-4ce16503dcd9", "value": "tomiris" }, { "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] }, "uuid": "77e29e3a-d4a3-4692-b1f8-38ad6dc1af1d", "value": "TONEDEAF" }, { "description": "According to Symantec, Grager was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of the backdoor revealed that it used the Graph API to communicate with a C&C server hosted on Microsoft OneDrive. Grager was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonerjam", "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en", "https://www.security.com/threat-intelligence/cloud-espionage-attacks" ], "synonyms": [], "type": [] }, "uuid": "a52be1e0-eb2b-4115-9f14-9e822341210b", "value": "TONERJAM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toneshell", "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", "https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/", "https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf", "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/", "https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit", "https://github.com/Still34/landing/blob/master/assets/slides/2024-08-Sailing%20the%20Seven%20SEAs.pdf" ], "synonyms": [], "type": [] }, "uuid": "83bfa615-a1d4-4b61-bda0-beb560d24a97", "value": "TONESHELL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonnerre", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", "https://research.checkpoint.com/2021/after-lightning-comes-thunder/" ], "synonyms": [], "type": [] }, "uuid": "a7590aa5-d9fb-449f-8a5e-5233077b736e", "value": "Tonnerre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.topinambour", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [], "type": [] }, "uuid": "fcc49738-f801-47ff-977b-9e368bc85273", "value": "Topinambour" }, { "description": "Torisma is a complex HTTP(S) downloader, that can serve as an orchestrator handling the execution of additional payloads from the C&C server.\r\n\r\nIt uses VEST-32 for encryption and decryption of network traffic between the client and the server. \r\n\r\nTypically, it uses these parameter names for its HTTP POST requests: ACTION, CODE, CACHE, REQUEST, RES. It sends the victim's MAC address in the initial request.\r\n\r\nThe response of the server informing the client about a successful authentication is \"Your request has been accepted. ClientID: {f9102bc8a7d81ef01ba}\". The client then requests additional data from the server, that decrypts to shellcode and its data parameters, and is executed. The client also creates a named pipe, \\\\.\\pipe\\fb4d1181bb09b484d058768598b, that allows inter-process communication with the executed shellcode. \r\n\r\nTorisma was usually downloaded by NedDnLoader, and deployed in the Operation DreamJob campaigns starting around Q4 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma", "https://www.telsy.com/lazarus-gate/", "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf" ], "synonyms": [], "type": [] }, "uuid": "69860c07-2acb-4674-8e68-41a1d8fe958a", "value": "Torisma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" ], "synonyms": [ "Teerac" ], "type": [] }, "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", "value": "TorrentLocker" }, { "description": "Downloader, delivered via a lure with fake exploits published on Github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tor_loader", "https://vulncheck.com/blog/fake-repos-deliver-malicious-implant" ], "synonyms": [], "type": [] }, "uuid": "b6c84477-198f-42ea-808b-e20b23271cd0", "value": "TorLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove", "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" ], "synonyms": [], "type": [] }, "uuid": "39ecb19e-790b-475b-85db-ef4c7f9c9dce", "value": "TOUCHMOVE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.touchshift", "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" ], "synonyms": [], "type": [] }, "uuid": "accbbc7e-43f1-4232-90be-6c1fe90cbccf", "value": "TOUCHSHIFT" }, { "description": "ToxicEye is a ransomware that spreads through phishing emails. The malware encrypts system files with AES-256 and demands a ransom in Bitcoin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye", "https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/", "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/" ], "synonyms": [], "type": [] }, "uuid": "0d445373-d520-4b67-9066-72f23452c774", "value": "ToxicEye" }, { "description": "According to Trend Micro, this is a backdoor abusing the Dropbox API, used by threat actor Earth Yako.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.transbox", "https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html" ], "synonyms": [], "type": [] }, "uuid": "e4d4af34-835a-4e39-b9e2-eb2456e5fce3", "value": "TransBox" }, { "description": "tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trat", "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "b9e6e4bd-57e8-44e7-853c-8dcb83c26079", "value": "tRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html", "http://adelmas.com/blog/treasurehunter.php" ], "synonyms": [ "huntpos" ], "type": [] }, "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", "value": "TreasureHunter" }, { "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\n2017 - Trickbot primarily uses Necurs as vehicle for installs.\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\nQ3/4 2018 - Trickbot starts being spread through Emotet.\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Macro enabled > Trickbot installed", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", "https://community.riskiq.com/article/111d6005/description", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", "https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/", "https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/", "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass", "https://www.netscout.com/blog/asert/dropping-anchor", "https://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf", "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", "https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks", "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", "https://www.wired.co.uk/article/trickbot-malware-group-internal-messages", "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/", "https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works", "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/", "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html", "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/", "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", "https://therecord.media/russian-trickbot-malware-developer-pleads-guilty", "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", "https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/", "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/", "https://nattothoughts.substack.com/p/ransom-war-russian-extortion-operations", "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows", "https://intel471.com/blog/conti-leaks-ransomware-development", "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", "https://community.riskiq.com/article/04ec92f4", "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf", "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", "https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://duo.com/decipher/trickbot-up-to-its-old-tricks", "https://twitter.com/VK_Intel/status/1328578336021483522", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", "https://labs.vipre.com/trickbots-tricks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/", "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "https://www.youtube.com/watch?v=EdchPEHnohw", "https://blog.talosintelligence.com/2020/03/trickbot-primer.html", "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html", "https://www.youtube.com/watch?v=Brx4cygfmg8", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", "https://cofenselabs.com/all-you-need-is-text-second-wave/", "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", "https://www.youtube.com/watch?v=KMcSAlS9zGE", "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html", "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://intel471.com/blog/privateloader-malware", "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", "https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/", "https://www.joesecurity.org/blog/498839998833561473", "https://www.youtube.com/watch?v=lTywPmZEU1A", "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", "https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware", "https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/", "https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.secdata.com/the-trickbot-and-mikrotik/", "https://community.riskiq.com/article/298c9fc9", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/", "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/", "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/", "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://arcticwolf.com/resources/blog/karakurt-web", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/", "https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor", "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", "https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/", "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://blog.cyberint.com/ryuk-crypto-ransomware", "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", "https://www.ic3.gov/Media/News/2022/220120.pdf", "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf", "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", "https://www.mandiant.com/media/12596/download", "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure", "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/", "https://www.wired.com/story/trickbot-malware-group-internal-messages/", "https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://www.nisos.com/research/trickbot-trickleaks-data-analysis/", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/", "https://osint.fans/service-nsw-russia-association", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "http://www.malware-traffic-analysis.net/2018/02/01/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blog.vincss.net/re025-trickbot-many-tricks/", "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", "https://securelist.com/trickbot-module-descriptions/104603/", "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/", "https://share.vx-underground.org/Conti/", "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", "https://home.treasury.gov/news/press-releases/jy1256", "https://us-cert.cisa.gov/ncas/alerts/aa21-076a", "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/", "https://www.justice.gov/opa/press-release/file/1445241/download", "https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/", "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", "https://www.intrinsec.com/deobfuscating-hunting-ostap/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/", "https://www.secureworks.com/research/threat-profiles/gold-ulrick" ], "synonyms": [ "TheTrick", "TrickLoader", "Trickster" ], "type": [] }, "uuid": "c824813c-9c79-4917-829a-af72529e8329", "value": "TrickBot" }, { "description": "According to PCrisk, Trigona is ransomware that encrypts files and appends the \"._locked\" extension to filenames. Also, it drops the \"how_to_decrypt.hta\" file that opens a ransom note. An example of how Trigona renames files: it renames \"1.jpg\" to \"1.jpg._locked\", \"2.png\" to \"2.png._locked\", and so forth.\r\n\r\nIt embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trigona", "https://resources.prodaft.com/wazawaka-report", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware", "https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html", "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", "https://asec.ahnlab.com/en/61000/", "https://asec.ahnlab.com/en/51343/" ], "synonyms": [], "type": [] }, "uuid": "d5e900b0-5a6d-4e29-ab64-fa72863198a1", "value": "Trigona" }, { "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", "https://www.eenews.net/stories/1060123327/", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF", "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a", "https://dragos.com/blog/trisis/TRISIS-01.pdf", "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", "https://www.ic3.gov/Media/News/2022/220325.pdf", "https://home.treasury.gov/news/press-releases/sm1162", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", "https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a" ], "synonyms": [ "HatMan", "Trisis" ], "type": [] }, "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", "value": "Triton" }, { "description": "Trochilus is a C++ written RAT, which is available on GitHub. \r\nGitHub Repo:\r\n- https://github.com/m0n0ph1/malware-1/tree/master/Trochilus\r\n- https://github.com/5loyd/trochilus", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://github.com/5loyd/trochilus/", "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf" ], "synonyms": [], "type": [] }, "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", "value": "Trochilus RAT" }, { "description": "According to Malwarebyte, Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Ransom.Troldesh is spread by malspam, typically in the form of attached .zip files. This ransomware sometimes uses a CMS on a compromised site to host downloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/", "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", "https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/", "https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/", "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", "https://blog.avast.com/ransomware-strain-troldesh-spikes", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", "https://support.kaspersky.com/13059", "https://github.com/shade-team/keys", "https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/", "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/" ], "synonyms": [ "Shade" ], "type": [] }, "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", "value": "Troldesh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troll_stealer", "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2" ], "synonyms": [], "type": [] }, "uuid": "83052e07-0022-467a-a047-fb2fcec3a870", "value": "Troll Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troublegrabber", "https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord" ], "synonyms": [], "type": [] }, "uuid": "183fa14a-f42a-4508-b146-8550ba1acf2a", "value": "TroubleGrabber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troystealer", "https://seguranca-informatica.pt/troystealer-a-new-info-stealer-targeting-portuguese-internet-users" ], "synonyms": [], "type": [] }, "uuid": "36d7dea1-6abf-41ea-bcd8-079f24dc0972", "value": "troystealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" ], "synonyms": [], "type": [] }, "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", "value": "Trump Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" ], "synonyms": [], "type": [] }, "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", "value": "Tsifiri" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tunnelfish", "https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors" ], "synonyms": [], "type": [] }, "uuid": "561910ea-d165-48ea-9144-1c2d0cab3caa", "value": "TUNNELFISH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tunnelspecter", "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" ], "synonyms": [], "type": [] }, "uuid": "339e7cba-5934-4fdb-8e98-739813927011", "value": "TunnelSpecter" }, { "description": "According to its Github repo, Tuoni is a sophisticated, cross-platform red teaming framework designed to enhance cybersecurity education and training through large-scale cyber defense exercises. Developed using Java for robustness, Docker for versatility, and featuring an intuitive web browser interface, it supports and streamlines cyber exercises. With its modular, extendable plugin system, Tuoni offers Red Teamers the flexibility to tailor its capabilities for specific educational and exercise needs. Its user-friendly interface facilitates easy operation and efficient reporting, essential in training environments. Tuoni embodies a commitment to power, adaptability, and collaboration, aimed at empowering Red Teamers with a tool that meets the dynamic demands of modern cyber defense education.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tuoni", "https://github.com/shell-dot/tuoni" ], "synonyms": [], "type": [] }, "uuid": "b2721b97-cbe8-4883-803a-814525ff5cac", "value": "Tuoni" }, { "description": "According to Mitre, Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turian", "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", "https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day", "https://unit42.paloaltonetworks.com/playful-taurus/" ], "synonyms": [], "type": [] }, "uuid": "69585b58-ec98-4a70-b61d-288d5a7ca7c3", "value": "turian" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turkojan", "https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf" ], "synonyms": [], "type": [] }, "uuid": "17f9e595-c7c2-448a-a48a-6079e4c5791a", "value": "Turkojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", "https://unit42.paloaltonetworks.com/ironnetinjector/", "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html" ], "synonyms": [], "type": [] }, "uuid": "8c6248d2-2b3a-4fe8-99cd-552077e3f84f", "value": "TurlaRPC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://twitter.com/Arkbird_SOLG/status/1304187749373800455", "https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html" ], "synonyms": [ "BigBoss", "Cacao", "GoldenSky", "HyperStack" ], "type": [] }, "uuid": "ddee7f00-66e0-4d89-bd51-4b0df516a248", "value": "Turla SilentMoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", "https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/", "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [ "Notestuk" ], "type": [] }, "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", "value": "TURNEDUP" }, { "description": "TYPEFRAME is a RAT. \r\n\r\nIt supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system's firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000.\r\n\r\nThe RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.typeframe", "https://www.cisa.gov/news-events/analysis-reports/ar18-165a" ], "synonyms": [], "type": [] }, "uuid": "bcc18617-5310-47f0-be30-e2fef6252359", "value": "TYPEFRAME" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf" ], "synonyms": [ "SkinnyD" ], "type": [] }, "uuid": "d7b0ccc8-051c-4ab1-908e-3bd1811d9e2e", "value": "TypeHash" }, { "description": "According to PCrisk, Typhon is a stealer-type malware written in the C# programming language. Newer versions of this program are called Typhon Reborn (TyphonReborn). Malware within this classification is designed to extract data from infected systems. The older variants of Typhon have a broader range of functionalities, while Typhon Reborn versions are streamlined stealers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.typhon_stealer", "https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/" ], "synonyms": [ "Typhon Reborn V2" ], "type": [] }, "uuid": "fb5e364c-0f91-4b35-89cc-52eb4fc2a338", "value": "Typhon Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.lastline.com/labsblog/tyupkin-atm-malware/" ], "synonyms": [], "type": [] }, "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", "value": "Tyupkin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.t_cmd", "https://github.com/crackeeer/2006-defconbot/blob/master/T-cmd.cpp" ], "synonyms": [ "t_cmd" ], "type": [] }, "uuid": "892aa73e-7cb5-4eb5-bcb7-e9864bd03af2", "value": "T-Cmd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.t_rat", "https://www.gdatasoftware.com/blog/trat-control-via-smartphone" ], "synonyms": [], "type": [] }, "uuid": "fb9e9ade-b154-43ba-a0ea-550322454acf", "value": "T-RAT 2.0" }, { "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", "https://github.com/hfiref0x/UACME", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" ], "synonyms": [ "Akagi" ], "type": [] }, "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", "value": "UACMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", "https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns" ], "synonyms": [], "type": [] }, "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", "value": "UDPoS" }, { "description": "Information stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal", "https://twitter.com/malwrhunterteam/status/1096363455769202688" ], "synonyms": [ "Usteal" ], "type": [] }, "uuid": "a24bf6d9-e177-44f2-9e61-8cf3566e45eb", "value": "UFR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" ], "synonyms": [], "type": [] }, "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", "value": "Uiwix" }, { "description": "Umbral is a data-stealing Trojan that targets Windows systems. It spreads through phishing emails and malicious attachments. Once installed, Umbral can steal a variety of data, including usernames, passwords, online banking credentials, and confidential files. It can also change computer settings and execute harmful commands. Umbral is a serious security threat and should be removed immediately if found.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.umbral", "https://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/" ], "synonyms": [], "type": [] }, "uuid": "449a8708-d0ec-40c8-af7c-ea6960d11659", "value": "Umbral" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek", "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/", "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become" ], "synonyms": [], "type": [] }, "uuid": "788b5c01-6609-4a3e-8922-5734fb6897b4", "value": "UnderminerEK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", "value": "Unidentified 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" ], "synonyms": [], "type": [] }, "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", "value": "Unidentified 003" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" ], "synonyms": [], "type": [] }, "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", "value": "Unidentified 006" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" ], "synonyms": [], "type": [] }, "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", "value": "Unidentified 013 (Korean)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", "https://wikileaks.org/ciav7p1/cms/page_34308128.html" ], "synonyms": [], "type": [] }, "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", "value": "Unidentified 020 (Vault7)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" ], "synonyms": [], "type": [] }, "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", "value": "Unidentified 022 (Ransom)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" ], "synonyms": [], "type": [] }, "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", "value": "Unidentified 023" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", "https://twitter.com/malwrhunterteam/status/789161704106127360" ], "synonyms": [], "type": [] }, "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", "value": "Unidentified 024 (Ransomware)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", "http://malware-traffic-analysis.net/2016/05/09/index.html" ], "synonyms": [], "type": [] }, "uuid": "f43a0e38-2394-4538-a123-4a0457096058", "value": "Unidentified 025 (Clickfraud)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" ], "synonyms": [], "type": [] }, "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", "value": "Unidentified 028" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" ], "synonyms": [], "type": [] }, "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", "value": "Unidentified 029" }, { "description": "Unnamed ransomware that camouflages as a program performing system cleanup called \"System Analyzer Pro\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", "https://twitter.com/JaromirHorejsi/status/877811773826641920" ], "synonyms": [], "type": [] }, "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", "value": "Unidentified 030 (Ransomware)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" ], "synonyms": [], "type": [] }, "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", "value": "Unidentified 031" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" ], "synonyms": [], "type": [] }, "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", "value": "Unidentified 037" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" ], "synonyms": [], "type": [] }, "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", "value": "Unidentified 038" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" ], "synonyms": [], "type": [] }, "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", "value": "Unidentified 039" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" ], "synonyms": [], "type": [] }, "uuid": "88d70171-fc89-44d1-8931-035c0b095247", "value": "Unidentified 041" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" ], "synonyms": [], "type": [] }, "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", "value": "Unidentified 042" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" ], "synonyms": [], "type": [] }, "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", "value": "Unidentified 044" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" ], "synonyms": [], "type": [] }, "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", "value": "Unidentified 045" }, { "description": "RAT written in Delphi used by Patchwork APT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" ], "synonyms": [], "type": [] }, "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", "value": "Unidentified 047" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" ], "synonyms": [], "type": [] }, "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", "value": "Unidentified 052" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053" ], "synonyms": [], "type": [] }, "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", "value": "Unidentified 053 (Wonknu?)" }, { "description": "Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "1b8e86ab-57b2-4cd9-a768-a7118b4eb4be", "value": "Unidentified 057" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058", "https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat", "https://securelist.com/the-return-of-the-bom/90065/" ], "synonyms": [], "type": [] }, "uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc", "value": "Unidentified 058" }, { "description": "This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_066", "https://s.tencent.com/research/report/669.html" ], "synonyms": [], "type": [] }, "uuid": "e78c402f-998b-43ff-8102-f54838afcb8b", "value": "Unidentified 066" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_067", "https://s.tencent.com/research/report/831.html" ], "synonyms": [], "type": [] }, "uuid": "224066ee-4266-44a3-8ea2-b5d7b9b4969a", "value": "Unidentified 067" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068", "https://rules.emergingthreatspro.com/changelogs/suricata-5.0-enhanced.etpro.2019-12-05T23:38:02.txt" ], "synonyms": [], "type": [] }, "uuid": "26bfad72-59d8-456e-a200-eb18e614e5cb", "value": "Unidentified 068" }, { "description": "Zeus derivate, no known public references.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069", "https://zeusmuseum.com/unnamed%202/" ], "synonyms": [], "type": [] }, "uuid": "cc66d112-2ff5-462c-b029-15458d51f8a7", "value": "Unidentified 069 (Zeus Unnamed2)" }, { "description": "Unidentified downloader, possibly related to KONNI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070", "https://twitter.com/M11Sec/status/1217781224204357633" ], "synonyms": [], "type": [] }, "uuid": "0bdef005-fd36-4ce0-a215-d49bf05b8fb8", "value": "Unidentified 070 (Downloader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071", "https://zeusmuseum.com/unnamed%201/" ], "synonyms": [], "type": [] }, "uuid": "cc7de9da-dc33-4cf8-9388-986b001fad63", "value": "Unidentified 071 (Zeus Unnamed1)" }, { "description": "MSI-based loader that has been observed as a stager for win.metamorfo.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_072", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md" ], "synonyms": [], "type": [] }, "uuid": "f2979fee-603d-496e-a526-d622e9cba84f", "value": "Unidentified 072 (Metamorfo Loader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074", "https://blog.vincss.net/2019/12/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-2020.html", "https://blog.vincss.net/vi/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-nam-2020-doc-dinh-kem-email-phishing-2/" ], "synonyms": [], "type": [] }, "uuid": "4b60bda2-c587-4069-ace1-6283891d5faf", "value": "Unidentified 074 (Downloader)" }, { "description": "Unpacked http_dll.dat from the blog post.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075" ], "synonyms": [], "type": [] }, "uuid": "66f26a60-ab6a-4b7c-bd85-afdc44dbcfdd", "value": "Unidentified 075" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076", "https://www.zscaler.com/blogs/research/return-higaisa-apt", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://www.youtube.com/watch?v=8x-pGlWpIYI" ], "synonyms": [], "type": [] }, "uuid": "4d5d0798-9cb3-4f26-8c98-db8d7190d187", "value": "Unidentified 076 (Higaisa LNK to Shellcode)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077", "https://twitter.com/ccxsaber/status/1277064824434745345", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f" ], "synonyms": [], "type": [] }, "uuid": "ca8a1900-ea9a-4d83-8873-6c48ac12da9a", "value": "Unidentified 077 (Lazarus Downloader)" }, { "description": "Suspected Zebrocy loader written in Nim.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078", "https://twitter.com/Vishnyak0v/status/1300704689865060353" ], "synonyms": [], "type": [] }, "uuid": "99099489-eeb9-415a-a3b8-6133e774bed0", "value": "Unidentified 078 (Zebrocy Nim Loader?)" }, { "description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080", "https://securelist.com/luckymouse-ndisproxy-driver/87914/" ], "synonyms": [], "type": [] }, "uuid": "f12b3029-87a1-4632-855f-4fef784210bd", "value": "Unidentified 080" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083", "https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/" ], "synonyms": [], "type": [] }, "uuid": "438ab9a3-3e2b-4241-8bcb-e61c2d118772", "value": "Unidentified 083 (AutoIT Stealer)" }, { "description": "A RAT written in .NET, potentially used by Transparent Tribe.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_085", "https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/" ], "synonyms": [], "type": [] }, "uuid": "f80e8948-8e1e-4ecf-8d5e-08148e4dd2b0", "value": "Unidentified 085" }, { "description": "Symantec describes this family as an unidentified tool set used to target a range of organizations in South East Asia. The campaign was first noticed in September 2020.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_087", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-south-east-asia?s=09" ], "synonyms": [], "type": [] }, "uuid": "a4c9861e-93c6-4b2b-aa2d-71c1405375b4", "value": "Unidentified 087 " }, { "description": "Ransomware written in Nim.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" ], "synonyms": [], "type": [] }, "uuid": "d7f1e6cf-1880-426a-881a-619309f32c37", "value": "Unidentified 088 (Nim Ransomware)" }, { "description": "Avast found this unidentified RAT, which abuses a code-signing certificate by the Philippine Navy. It is statically linked against OpenSSL 1.1.1g.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_091", "https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/" ], "synonyms": [], "type": [] }, "uuid": "33c8e201-9cd1-4a44-9380-3e3d3d6894c3", "value": "Unidentified 091" }, { "description": "According to Antiy CERT, this is a C++ backdoor that was first discovered in an attack by Confucius in September 2020. Its main functions include creating scheduled tasks, retrieving process information, retrieving network adapter information, retrieving disk drive information, uploading files, downloading files, executing files, and providing shell access.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_092", "https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ" ], "synonyms": [], "type": [] }, "uuid": "22ed4f2a-2ed4-4235-97c3-69913bc80a00", "value": "Unidentified 092 (Confucius Backdoor)" }, { "description": "Check Point Research observed this malware being used by Sidewinder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_093", "https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/" ], "synonyms": [], "type": [] }, "uuid": "9b7dfe8f-c06e-4803-9792-48ca369e80b3", "value": "Unidentified 093 (Sidewinder)" }, { "description": "Wiper, using EldoS RawDisk for low level access to disks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_095", "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf" ], "synonyms": [], "type": [] }, "uuid": "925f7a39-9674-4209-a31a-e09c27117328", "value": "Unidentified 095 (Iranian Wiper)" }, { "description": "Keylogger.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_096", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage" ], "synonyms": [], "type": [] }, "uuid": "0c87cf0d-fa54-4962-817d-eac4c817b21a", "value": "Unidentified 096 (Keylogger)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_097", "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/", "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" ], "synonyms": [], "type": [] }, "uuid": "32fe5b04-1af6-4696-a329-604a9f637c85", "value": "Unidentified 097 (Polonium Keylogger)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_098", "https://ti.qianxin.com/blog/articles/analysis-of-apt29%27s-attack-activities-against-italy/", "https://www.freebuf.com/articles/paper/339618.html", "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/" ], "synonyms": [], "type": [] }, "uuid": "db87fd2d-08ff-431d-86b8-35e31c9fcc9b", "value": "Unidentified 098 (APT29 Slack Downloader)" }, { "description": "This malware uses DropBox for C2 and was spread via spear-phishing attack at government organizations. It is different from win.boombox, which is another APT29 attributed malware using DropBox (written in .NET).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md" ], "synonyms": [], "type": [] }, "uuid": "541a0a05-5c7f-4646-a96b-a4d26d5fa89d", "value": "Unidentified 099 (APT29 Dropbox Loader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100", "https://www.linkedin.com/pulse/analysis-apt-c-60-attack-south-korea-threatbook/", "https://mp.weixin.qq.com/s/Hzq4_tWmunDpKfHTlZNM-A" ], "synonyms": [], "type": [] }, "uuid": "0ee92ce5-e33d-4393-a466-6b5f6a1ca6a5", "value": "Unidentified 100 (APT-Q-12)" }, { "description": "A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", "https://otx.alienvault.com/pulse/61e7f74a936eea5d44026b8e" ], "synonyms": [ "Sardonic" ], "type": [] }, "uuid": "07106811-cd07-4d05-906d-c05208758b00", "value": "Unidentified 103 (FIN8)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_104", "https://twitter.com/jaydinbas/status/1663916211975987201" ], "synonyms": [], "type": [] }, "uuid": "ec530093-5ffc-45f1-b04d-accf3269b2d2", "value": "Unidentified 104" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_105", "https://twitter.com/h2jazi/status/1681426768597778440" ], "synonyms": [], "type": [] }, "uuid": "07464f74-f587-4266-b828-448c67d2bd85", "value": "Unidentified 105" }, { "description": "This is possibly related to the MATA framework / Dacls.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_106", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/", "https://www.virustotal.com/gui/file/3c1cfc2b8b7e5c2d713ec5f329aa58a6b56a08240199761ba6da91e719d30705/detection", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf" ], "synonyms": [], "type": [] }, "uuid": "da2d8044-ed12-4951-bcd8-fd1e1335244a", "value": "Unidentified 106" }, { "description": "Small shellcode downloader, likely used by APT29.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_107", "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745", "https://lab52.io/blog/2344-2/", "https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs#a3" ], "synonyms": [ "ICEBEAT" ], "type": [] }, "uuid": "e83a3731-9c84-4e36-a2da-9e6c9c2461d7", "value": "Unidentified 107 (APT29)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_108", "https://www.virustotal.com/gui/file/8c94a3cef4e45a1db05ae9723ce5f5ed66fc57316e9868f66c995ebee55f5117/detection" ], "synonyms": [], "type": [] }, "uuid": "ee09eba1-e96e-476f-9372-e99218d8ab90", "value": "Unidentified 108" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_109", "https://twitter.com/malwrhunterteam/status/1689533484597952514" ], "synonyms": [ "IMEEX" ], "type": [] }, "uuid": "ad37d6ad-e9b7-4652-8a2e-502b170932e7", "value": "Unidentified 109 (Lazarus?)" }, { "description": "According to Deep Instinct, this information stealer is written in Rust and was observed in Operation Rusty Flag.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110", "https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets" ], "synonyms": [], "type": [] }, "uuid": "00dac929-3038-4fc1-a1a5-0fd895126e92", "value": "Unidentified 110 (RustyFlag)" }, { "description": "A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112", "https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/" ], "synonyms": [], "type": [] }, "uuid": "1f50fa09-9c0f-40f8-9431-bd122dd347ff", "value": "Unidentified 112 (Rust-based Stealer)" }, { "description": "According to Phylum, this is a RAT with these characteristics:\r\n* Registers as a scheduled task.\r\n* Receives commands from a remote server using web sockets.\r\n* Installs Chrome extensions to Secure Preferences.\r\n* Configures AnyDesk, hides the screen, and disables shutting down Windows.\r\n* Captures keyboard and mouse events.\r\n* Collects information about files, browser extensions, and browser history.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_113", "https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/" ], "synonyms": [], "type": [] }, "uuid": "24f6e2e6-69c0-4a43-9036-cf275d3aa7ee", "value": "Unidentified 113 (RAT)" }, { "description": "According to Trend Micro, this is a small information stealer written in .NET, that pushes its loot to a benign file sharing service and does not have a direct C&C callback.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_114", "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html" ], "synonyms": [], "type": [] }, "uuid": "1f59adb5-43e1-438b-b1c0-18af13ee3b12", "value": "Unidentified 114 (APT28 InfoStealer)" }, { "description": "According to Walmart, this is a loader written in Nim that contains an AmsiScanBuffer patch followed by a EtwEventWrite patch and that will download/decrypt a payload via AES CFB and inject it into a hardcoded process target (e.g. explorer.exe).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_115", "https://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd" ], "synonyms": [], "type": [] }, "uuid": "63e6b775-eecc-462d-ae3c-31c03375e99e", "value": "Unidentified 115 (Nim Loader)" }, { "description": "This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_116" ], "synonyms": [], "type": [] }, "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", "value": "Unidentified 116 (Miner)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_117", "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247501270&idx=1&sn=203ae98a60ffc172cb9e06a1b95116c6&chksm=f9c1f6dfceb67fc916f29b04e9e63fe81a1f916d575ae8c32250fb954ca9619153ba864e118d&scene=178&cur_album_id=1955835290309230595" ], "synonyms": [], "type": [] }, "uuid": "ac2bc9a6-d30d-40a3-9bb4-541f5c1e3d2b", "value": "Unidentified 117 (Donot Loader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", "https://twitter.com/struppigel/status/810753660737073153", "https://twitter.com/bartblaze/status/976188821078462465" ], "synonyms": [], "type": [] }, "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", "value": "Unlock92" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html" ], "synonyms": [ "Rombrast" ], "type": [] }, "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", "value": "UPAS" }, { "description": "Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", "https://secrary.com/ReversingMalware/Upatre/", "https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", "https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/" ], "synonyms": [], "type": [] }, "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", "value": "Upatre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" ], "synonyms": [], "type": [] }, "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", "value": "Urausy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA", "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/" ], "synonyms": [ "Bebloh", "Shiotob" ], "type": [] }, "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", "value": "UrlZone" }, { "description": "Uroburos is a driver for Windows, including a bypass of PatchGuard. According to Andrzej Dereszowski and Matthieu Kaczmarek, \"the techniques used demonstrate [their] excellent knowledge of Windows kernel internals.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", "https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", "https://exatrack.com/public/Uroburos_EN.pdf", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", "https://www.circl.lu/pub/tr-25/", "https://artemonsecurity.com/snake_whitepaper.pdf", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", "https://artemonsecurity.com/uroburos.pdf", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence" ], "synonyms": [ "Snake" ], "type": [] }, "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (Windows)" }, { "description": "According to Kaspersky, USBCulprit is a malware that is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view" ], "synonyms": [], "type": [] }, "uuid": "56af8251-4236-42e0-99bc-2c32377e97bb", "value": "USBCulprit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/" ], "synonyms": [], "type": [] }, "uuid": "6d0a92c0-cad8-4470-b780-3041774acad3", "value": "USBferry" }, { "description": "ESET reports that Vadokrist is a Latin American banking trojan that they have been tracking since 2018 and that is active almost exclusively in Brazil.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist", "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf", "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/" ], "synonyms": [], "type": [] }, "uuid": "d4ab5619-2347-4949-8102-78296b87a08c", "value": "Vadokrist" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vaggen", "https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/" ], "synonyms": [], "type": [] }, "uuid": "006621d1-a3bd-40f2-a55c-d79c84879a6b", "value": "Vaggen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat", "https://www.secrss.com/articles/52018", "https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat", "https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape" ], "synonyms": [], "type": [] }, "uuid": "fcf8f520-27a9-493e-a274-fbfd70b733b0", "value": "ValleyRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] }, "uuid": "dd95eefd-2ef3-4bda-9065-18f4b03c2249", "value": "VALUEVAULT" }, { "description": "Description:\r\n\r\nVanillaRat is an advanced remote administration tool coded in C#. VanillaRat uses the Telepathy TCP networking library, dnlib module reading and writing library, and Costura.Fody dll embedding library.\r\nFeatures:\r\n\r\n Remote Desktop Viewer (With remote click)\r\n File Browser (Including downloading, drag and drop uploading, and file opening)\r\n Process Manager\r\n Computer Information\r\n Hardware Usage Information (CPU usage, disk usage, available ram)\r\n Message Box Sender\r\n Text To Speech\r\n Screen Locker\r\n Live Keylogger (Also shows current window)\r\n Website Opener\r\n Application Permission Raiser (Normal -> Admin)\r\n Clipboard Text (Copied text)\r\n Chat (Does not allow for client to close form)\r\n Audio Recorder (Microphone)\r\n Process Killer (Task manager, etc.)\r\n Remote Shell\r\n Startup\r\n Security Blacklist (Drag client into list if you don't want connection. Press del. key on client to remove from list)\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vanillarat", "https://github.com/DannyTheSloth/VanillaRAT" ], "synonyms": [], "type": [] }, "uuid": "5bb80b4a-d304-460a-bb07-417dea64f213", "value": "vanillarat" }, { "description": "According to Mandiant, VaporRage or BOOMMIC, is a shellcode downloader written in C that communicates over HTTPS. Shellcode Payloads are retrieved from a hardcoded C2 that uses an encoded host_id generated from the targets domain and account name. BOOMMIC XOR decodes the downloaded shellcode payload in memory and executes it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vapor_rage", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns" ], "synonyms": [ "BOOMMIC" ], "type": [] }, "uuid": "5a76d7a1-486e-4f4e-9e23-e544ee9f2ef9", "value": "VaporRage" }, { "description": "In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, they identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky", "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", "https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/" ], "synonyms": [], "type": [] }, "uuid": "f0740430-248f-4dd9-a2f3-b2592090a8a6", "value": "Varenyky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", "https://medium.com/@Ilandu/vawtrak-malware-824818c1837", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.secureworks.com/research/dyre-banking-trojan" ], "synonyms": [ "Catch", "NeverQuest", "grabnew" ], "type": [] }, "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "value": "Vawtrak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.veaty", "https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/" ], "synonyms": [], "type": [] }, "uuid": "25546977-de99-4c78-9322-0355cfcebcc8", "value": "Veaty" }, { "description": "Credential Stealer, written in .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.veeam", "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger" ], "synonyms": [ "Eamfo" ], "type": [] }, "uuid": "f85bbceb-dc51-4c11-93a6-21a72255dcaf", "value": "Veeam Dumper" }, { "description": "Delphi-based ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://twitter.com/malwrhunterteam/status/1095024267459284992", "https://twitter.com/malwrhunterteam/status/1093136163836174339", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/" ], "synonyms": [ "Buran", "Vega" ], "type": [] }, "uuid": "704bb00f-f558-4568-824c-847523700043", "value": "VegaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.veiledsignal", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain" ], "synonyms": [], "type": [] }, "uuid": "b75f0dfd-15df-439d-8ff0-8e8f87656565", "value": "VEILEDSIGNAL" }, { "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" ], "synonyms": [], "type": [] }, "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", "value": "Velso" }, { "description": "Ransomware, which appears to be a rebranding of win.cuba.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vendetta", "https://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023" ], "synonyms": [], "type": [] }, "uuid": "bd774e26-f558-444b-abe6-c75868374d5e", "value": "Vendetta" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://github.com/jeFF0Falltrades/rat_king_parser", "https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/", "https://blog.malwarelab.pl/posts/venom/", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://axmahr.github.io/posts/asyncrat-detection/" ], "synonyms": [], "type": [] }, "uuid": "2ce1f55e-ac43-4fcb-b647-ff5ae9c26b7c", "value": "Venom RAT" }, { "description": "VenomLNK is the initial phase of the more_eggs malware-as-a-service. It is a poisoned .lnk file that depends on User Execution and points to LOLBINs (often cmd.exe) with additional obfuscated scripting options. This typically initiates WMI abuse and TerraLoader, which can load additional functionality through various plugins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk", "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", "https://www.esentire.com/web-native-pages/unmasking-venom-spider", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9" ], "synonyms": [], "type": [] }, "uuid": "dea1ff4f-bc6d-40c0-9d19-b60578ea1344", "value": "VenomLNK" }, { "description": "According to Cisco Talos, this is a reverse proxy socks5 server-client tool originally developed for penetration testers. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_proxy", "https://blog.talosintelligence.com/new-zardoor-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "cd2ba5b9-1bfd-41c9-acf2-259a991986c6", "value": "Venom Proxy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", "https://twitter.com/JaromirHorejsi/status/813690129088937984" ], "synonyms": [], "type": [] }, "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", "value": "Venus Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermilion_strike", "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" ], "synonyms": [], "type": [] }, "uuid": "f2db1f70-a284-42c1-9f5a-4b2f46dc8868", "value": "Vermilion Strike (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] }, "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", "value": "Vermin" }, { "description": "Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services.\r\nhttps://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vetta_loader", "https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware", "https://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/", "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-EMPTYSPACE-with-Google-Security", "https://yoroi.company/en/research/unveiling-vetta-loader-a-custom-loader-hitting-italy-and-spread-through-infected-usb-drives/" ], "synonyms": [ "BrokerLoader", "EMPTYSPACE" ], "type": [] }, "uuid": "f5dafd8f-1003-4002-ae05-ecbaa3ba6817", "value": "Vetta Loader" }, { "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protected by VMProtect.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" ], "synonyms": [], "type": [] }, "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", "value": "Vflooder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html", "https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", "https://twitter.com/GrujaRS/status/1241657443282825217", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" ], "synonyms": [], "type": [] }, "uuid": "fb0ad46d-20b6-4e8c-b401-702197667272", "value": "VHD Ransomware" }, { "description": "VictoryGate was the name of a cryptomining botnet, which was disrupted by ESET researchers in April 2020. The used malware itself was also referred to as VictoryGate. It was spotted in May 2019 and targeted mainly Latin American users, specifically, Peru (Criptonizando states 90% of the botnet publication residing there). Both public and private sectors were targeted.\r\nThis cryptojacking malware was specialized in Monero (XRM) cryptocurrency. VictoryGate shows very strong code overlap with win.orchard.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate", "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", "https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/", "https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/", "https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/" ], "synonyms": [], "type": [] }, "uuid": "229cd7f6-2514-42b8-baa6-0c2a22cd5d9c", "value": "VictoryGate" }, { "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign", "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed", "https://threatpost.com/microsoft-help-files-vidar-malware/179078/", "https://censys.com/tracking-vidar-infrastructure/", "https://embee-research.ghost.io/ghidra-basics-identifying-and-decoding-encrypted-strings/", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/", "https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal", "https://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://blog.jaalma.io/vidar-infostealer-analysis/", "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", "https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware", "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/", "https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-vidar-2c0a62a73087", "https://asec.ahnlab.com/en/30875/", "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", "https://isc.sans.edu/diary/rss/28468", "https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/", "https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf", "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/", "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://ke-la.com/information-stealers-a-new-landscape/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", "https://censys.com/a-beginners-guide-to-hunting-open-directories/", "https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure", "https://www.youtube.com/watch?v=NI_Yw2t9zoo", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd", "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back", "https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf", "https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://www.gatewatcher.com/lab/utilisation-de-faux-profils-steam-vidar-prend-les-commandes/", "https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-2/", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google", "https://cert.pl/en/posts/2021/10/vidar-campaign/", "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://asec.ahnlab.com/en/30445/", "https://asec.ahnlab.com/en/22932/", "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/", "https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271", "https://intel471.com/blog/privateloader-malware", "https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/", "https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/", "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/", "https://twitter.com/GroupIB_GIB/status/1570821174736850945", "https://twitter.com/sisoma2/status/1409816282065743872", "https://www.youtube.com/watch?v=lxdlNOaHJQA", "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer", "https://eln0ty.github.io/malware%20analysis/vidar/", "https://m4lcode.github.io/malware%20analysis/vidar/", "https://insights.loaderinsight.agency/posts/vidar-build-id-correlation/", "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk", "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", "https://asec.ahnlab.com/ko/25837/" ], "synonyms": [], "type": [] }, "uuid": "1f44c08a-b427-4496-9d6d-909b6bf34b9b", "value": "Vidar" }, { "description": "Wiper malware discovered by Japanese security firm Mitsui Bussan Secure Directions (MBSD), which is assumed to target Japan, the host country of the 2021 Summer Olympics. In addition to targeting common file Office-related files, it specifically targets file types associated with the Japanese word processor Ichitaro.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner", "https://www.mbsd.jp/research/20210721/blog/", "https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/", "https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games", "https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/", "https://blog.trendmicro.co.jp/archives/28319" ], "synonyms": [ "VIGILANT CHECKER" ], "type": [] }, "uuid": "65711172-14f7-4e3d-9aca-7895b37b2e9a", "value": "VIGILANT CLEANER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vilsastealer", "https://www.cyfirma.com/research/vilsa-stealer/" ], "synonyms": [], "type": [] }, "uuid": "86011ece-affa-4913-8674-a68096a77122", "value": "Vilsa Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ], "synonyms": [], "type": [] }, "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", "value": "virdetdoor" }, { "description": "Polymorphic parasitic file infecting virus which transforms files into copies of itself. Additionally it uses screen-locking as a ransomware technique.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virlock", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017", "https://www.ciberseguridad.eus/sites/default/files/2022-04/bcsc-malware-virlock-tlpwhite_v1242.pdf", "https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-its-file-infector-its-ransomware-its-virlock/", "https://blogs.blackberry.com/en/2019/07/threat-spotlight-virlock-polymorphic-ransomware", "https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" ], "synonyms": [], "type": [] }, "uuid": "86ea83f1-c06c-4ee3-9c4e-df302974f649", "value": "VirLock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virtualgate", "https://norfolkinfosec.com/some-notes-on-virtualgate/" ], "synonyms": [], "type": [] }, "uuid": "48d47a27-464a-4087-b691-574c3b494efb", "value": "VIRTUALGATE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", "https://www.secureworks.com/research/virut-encryption-analysis", "https://chrisdietri.ch/post/virut-resurrects/", "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/", "https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet", "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [], "type": [] }, "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", "value": "Virut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vizom", "https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/" ], "synonyms": [], "type": [] }, "uuid": "a49d6db9-32a0-42a8-acb9-174146a7fafa", "value": "Vizom" }, { "description": "VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm", "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", "https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://resources.securityscorecard.com/research/acasestudyofVjw0rm#page=1", "https://twitter.com/tccontre18/status/1461386178528264204", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics", "https://community.riskiq.com/article/24759ad2", "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://bazaar.abuse.ch/browse/signature/Vjw0rm/" ], "synonyms": [], "type": [] }, "uuid": "3a8186f1-ff2a-4431-be99-7e31c0096f15", "value": "Vjw0rm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/" ], "synonyms": [ "VMzeus", "Zberp", "ZeusVM" ], "type": [] }, "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", "value": "VM Zeus" }, { "description": "Malware of this family searches for computers on a network and creates copies of itself in folders with open access. For the program to be activated, the user must first run it on the computer. The code of this malware is written in the Visual Basic programming language and uses obfuscation, which is a distinguishing feature of this family. Code obfuscation complicates attempts by anti-virus software to analyze suspected malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions", "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/", "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html" ], "synonyms": [ "Beebone" ], "type": [] }, "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", "value": "Vobfus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vohuk", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants", "https://github.com/MalGamy/YARA_Rules/blob/main/vohuk.yara" ], "synonyms": [], "type": [] }, "uuid": "f2c91bfb-1b22-4399-849a-f07304c2e81f", "value": "Vohuk" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.void", "https://securelist.com/cis-ransomware/104452/", "https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html" ], "synonyms": [ "VoidCrypt" ], "type": [] }, "uuid": "55f66b60-5284-4db6-b26e-52b3aea17641", "value": "Void" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.voidoor", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4" ], "synonyms": [], "type": [] }, "uuid": "e9525c0d-0fba-4a0c-8b9d-31acc21194db", "value": "Voidoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.void_rat", "https://resources.securityscorecard.com/research/technical-analysis-of-the-quasar-forked-rat-called-void-rat" ], "synonyms": [], "type": [] }, "uuid": "d78756c3-912a-438e-b9d2-d41ae95f42c3", "value": "VoidRAT" }, { "description": "Voldemort is a backdoor discovered by Proofpoint in August 2024. It is being distributed via phishing E-Mails and makes use of creative techniques such as using saved search files during the infection chain for obfuscation and Google Sheets for C2. While its broad targeting looks like it is related to ecrime, Proofpoint notes that the capabilities of the malware point towards espionage/APT activity.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.voldemort", "https://x.com/threatinsight/status/1848745326884360548", "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "synonyms": [], "type": [] }, "uuid": "c87d3310-07fd-4e3a-88ca-9ccb0a339876", "value": "Voldemort" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", "https://asec.ahnlab.com/en/56405/", "https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", "https://securelist.com/operation-applejeus/87553/", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://asec.ahnlab.com/en/57685/", "https://asec.ahnlab.com/ko/56256/", "https://securelist.com/lazarus-threatneedle/100803/", "https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf", "https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view" ], "synonyms": [ "FALLCHILL", "Manuscrypt" ], "type": [] }, "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "value": "Volgmer" }, { "description": "Ransomware written in D.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vovalex", "https://twitter.com/VK_Intel/status/1355196321964109824", "https://twitter.com/malwrhunterteam/status/1351808079164276736" ], "synonyms": [], "type": [] }, "uuid": "fe4ffa8d-74d2-472a-b0ca-83f9e7f95739", "value": "Vovalex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", "https://twitter.com/malware_traffic/status/821483557990318080" ], "synonyms": [], "type": [] }, "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", "value": "Vreikstadi" }, { "description": "Vshell is an OST framework written in Go, enabling availability of implants for multiple platforms (Windows, Linux, macOS).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell", "https://github.com/veo/vshell" ], "synonyms": [], "type": [] }, "uuid": "b7055f10-84a9-4380-ae76-6094c23ef8b7", "value": "Vshell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vsingle", "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html", "https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.youtube.com/watch?v=nUjxH1gW53s", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "synonyms": [], "type": [] }, "uuid": "a9afe6ba-732a-45fe-a925-2b61b05e5a76", "value": "VSingle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", "http://www.xylibox.com/2013/01/vskimmer.html", "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" ], "synonyms": [], "type": [] }, "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", "value": "vSkimmer" }, { "description": "Information stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vulturi", "https://twitter.com/ViriBack/status/1430604948241276928?s=20" ], "synonyms": [], "type": [] }, "uuid": "cfbd52a9-39d6-46f4-a539-76abcec92088", "value": "Vulturi" }, { "description": "Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.\r\n\r\nIt uses a simple XOR for encryption of its configuration and network traffic. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.\r\n\r\nIt supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.\r\n\r\nIt has MPRD.dll as the internal DLL name, and a single export SamIInitialize.\r\n\r\nVyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva", "https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "b7f0ba08-8e7c-43cd-9b26-8dfef763a404", "value": "Vyveva RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", "https://attack.mitre.org/wiki/Group/G0022" ], "synonyms": [], "type": [] }, "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", "value": "w32times" }, { "description": "Wabot is an IRC worm that is written in Delphi. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wabot", "https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html" ], "synonyms": [], "type": [] }, "uuid": "cce35d3d-aea0-4e59-92cf-3289be4a4c21", "value": "win.wabot" }, { "description": "wAgentTea is an HTTP(S) downloader. \r\n\r\nIt was deployed mostly against South Korean targets like a pharmaceutical company (Q4 2020) or semiconductor industry (Q2 2023). In several cases, the initial access was obtained via exploitation of South Korean software like Initech's INISAFE CrossWeb EX or Dream Security’s MagicLine4NX.\r\n\r\nIt uses AES-128 for encryption and decryption of its network traffic, and for decryption of its binary configuration.\r\n\r\nThere is a hard-coded list of parameter names used in its HTTP POST request:\r\nidenty;tname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc;\r\ncategory;articles;portal\r\n\r\nIt contains a specific RTTI symbol \".?AVCHttp_socket@@\".\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wagenttea", "https://asec.ahnlab.com/en/33801/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://asec.ahnlab.com/wp-content/uploads/2023/10/20231013_Lazarus_OP.Dream_Magic.pdf" ], "synonyms": [ "wAgent" ], "type": [] }, "uuid": "03bf5a8b-774c-498a-9fa2-b4027695fd00", "value": "wAgentTea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wallyshack", "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" ], "synonyms": [], "type": [] }, "uuid": "0bd92907-c858-4164-87d6-fec0f3595e69", "value": "WallyShack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf", "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/", "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html", "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://sites.temple.edu/care/ci-rw-attacks/", "https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf", "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", "https://www.youtube.com/watch?v=Q90uZS3taG0", "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/" ], "synonyms": [ "Wana Decrypt0r", "WannaCry", "WannaCrypt", "Wcry" ], "type": [] }, "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", "value": "WannaCryptor" }, { "description": "According to Mars, WannaHusky is a Nim-compiled ransomware malware sample, created for demonstration purposes and provided as part of the Practical Malware Analysis & Triage course provided by HuskyHacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannahusky", "https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909" ], "synonyms": [], "type": [] }, "uuid": "10fc30fe-9f64-4765-a341-acde878f105c", "value": "WannaHusky" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannaren", "https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "44f548e2-9a47-433a-bccf-fff412d2963b", "value": "WannaRen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.warezov", "https://www.secureworks.com/research/warezov" ], "synonyms": [ "Opnis", "Stration" ], "type": [] }, "uuid": "925a5c68-5c9c-45ae-a3a5-8ba5ba692ada", "value": "Warezov" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.warhawk", "https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group", "https://mp.weixin.qq.com/s/ewGyvlmWUD45XTVsoxeVpg" ], "synonyms": [], "type": [] }, "uuid": "92e52625-f8eb-422e-b277-0bc994c19bb4", "value": "WarHawk" }, { "description": "WarmCookie is backdoor that is capable of executing commands reading/writing files and capturing screenshots. It communicates with a command and control (C&C) server via HTTP to receive further instructions and exfiltrate stolen data. It is commonly distributed through phishing campaigns and malicious downloads, targeting unsuspecting users to infiltrate systems undetected.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.warmcookie", "https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor", "https://www.elastic.co/security-labs/dipping-into-danger", "https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_WarmCookie.yar", "https://github.com/X-Junior/Malware-String-Decryptor-Scripts/blob/main/Badspace/badspace.py", "https://community.emergingthreats.net/t/sigs-w32-badspace-backdoor/1630", "https://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure", "https://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution", "https://github.com/dstepanic/slides/blob/main/VBCONF_2024/VB2024%20-%20Getting%20Cozy%20with%20Milk%20and%20WARMCOOKIES.pdf", "https://blog.talosintelligence.com/warmcookie-analysis/", "https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign", "https://x.com/GenThreatLabs/status/1840762181668741130", "https://securityintelligence.com/x-force/hive0137-on-ai-journey/", "https://github.com/X-Junior/Malware-IDAPython-Scripts/blob/main/Badspace/badspace.py" ], "synonyms": [ "Badspace", "KongTuke", "QUICKBIND" ], "type": [] }, "uuid": "2088185c-4ac4-4956-968e-103edc955f4e", "value": "WarmCookie" }, { "description": "This malware looks similar to WastedLocker, but the ransomware component is missing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader", "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", "https://killingthebear.jorgetesta.tech/actors/evil-corp" ], "synonyms": [], "type": [] }, "uuid": "c6b601f6-4cb6-4e7b-98fd-35af910ec0d8", "value": "WastedLoader" }, { "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker", "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://ioc.hatenablog.com/entry/2020/08/16/132853", "https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/", "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", "https://unit42.paloaltonetworks.com/wastedlocker/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", "https://securelist.com/wastedlocker-technical-analysis/97944/", "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter", "https://www.bbc.com/news/world-us-canada-53195749", "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf" ], "synonyms": [], "type": [] }, "uuid": "e72a0bde-ea5b-4450-bc90-b5d2dca697b4", "value": "WastedLocker" }, { "description": "Waterbear, also known as DbgPrint in its earlier export function, has been active since 2009. The malware is presumably developed by the BlackTech APT group and adopts advanced anti-analysis and forward-thinking design. These designs include a sophisticated shellcode stager, the ability to load plugins on-the-fly, and overall evasiveness should the C2 server fail to respond with a valid session key.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterbear", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html", "https://www.youtube.com/watch?v=6SDdUVejR2w", "https://daydaynews.cc/zh-tw/technology/297265.html", "https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "synonyms": [ "DbgPrint", "EYEWELL" ], "type": [] }, "uuid": "042ddeed-78e4-4799-965a-3b6815145f28", "value": "Waterbear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" ], "synonyms": [], "type": [] }, "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", "value": "WaterMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d238262a-4832-408f-9926-a7174e671b50", "value": "WaterSpout" }, { "description": "Wave Stealer is an infostealer offered as Malware-as-a-Service by a French-speaking actor called \"Wave\". The threat actor has strong relationships with Nova Stealer's and Epsilon Stealer's groups. It's capabilities include passwords and crypto-wallet stealing, discord and telegram injection, and backup codes finder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wavestealer", "https://coolaudit.com/new-wavestealer-spotted-in-wild-stealing-login-credentials-credit-card-data/", "https://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0" ], "synonyms": [], "type": [] }, "uuid": "211b7cfe-51e8-4dfe-af12-5f350e49af86", "value": "Wave Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wavy_exfiller", "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/" ], "synonyms": [], "type": [] }, "uuid": "6df6bf6d-8069-4923-914f-b56b2a111972", "value": "WavyExfiller" }, { "description": "WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.\r\n\r\nIt sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix \"ci\", a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to \"cs\".\r\n\r\nThe internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).\r\n\r\nThe usual payload associated with WebbyTea is SnatchCrypto.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webbytea", "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf", "https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/" ], "synonyms": [], "type": [] }, "uuid": "e8056d43-7dd7-49ae-8cd7-07be367fb6b4", "value": "WebbyTea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", "value": "WebC2-AdSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", "value": "WebC2-Ausov" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", "value": "WebC2-Bolid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", "value": "WebC2-Cson" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "acdda3e5-e776-419b-b060-14f3406de061", "value": "WebC2-DIV" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", "value": "WebC2-GreenCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", "value": "WebC2-Head" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", "value": "WebC2-Kt3" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", "value": "WebC2-Qbp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", "value": "WebC2-Rave" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", "value": "WebC2-Table" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", "value": "WebC2-UGX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", "value": "WebC2-Yahoo" }, { "description": "On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.'\r\nUnit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", "https://revcode.se/product/webmonitor/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord", "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/" ], "synonyms": [ "RevCode" ], "type": [] }, "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", "value": "WebMonitor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wecontrol", "https://unit42.paloaltonetworks.com/westeal/" ], "synonyms": [], "type": [] }, "uuid": "541720a8-a125-4277-b109-c04e475c4cc3", "value": "WeControl" }, { "description": "WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example \"gost\". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", "https://us-cert.cisa.gov/ncas/alerts/aa21-116a", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://community.riskiq.com/article/541a465f/description", "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://censys.com/advanced-persistent-infrastructure-tracking/" ], "synonyms": [], "type": [] }, "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", "value": "WellMess" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.westeal", "https://unit42.paloaltonetworks.com/westeal/" ], "synonyms": [], "type": [] }, "uuid": "8ec2d984-8c10-49f2-ad97-64af275a7afc", "value": "WeSteal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiskerspy", "https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "821b2c61-31b0-41f5-b604-e58678bf287b", "value": "WhiskerSpy" }, { "description": "Destructive malware deployed against targets in Ukraine in January 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate", "https://www.brighttalk.com/webcast/15591/534324", "https://cert.gov.ua/article/18101", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", "https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/", "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", "https://www.secureworks.com/blog/whispergate-not-notpetya", "https://www.youtube.com/watch?v=Ek3URIaC5O8", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", "https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/", "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", "https://twitter.com/HuskyHacksMK/status/1482876242047258628", "https://www.crowdstrike.com/blog/who-is-ember-bear/", "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/", "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", "https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html", "https://twitter.com/knight0x07/status/1483401072102502400", "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", "https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/", "https://www.youtube.com/watch?v=2nd-f1dIfD4", "https://www.elastic.co/fr/security-labs/operation-bleeding-bear", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", "https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", "https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf", "https://www.netskope.com/blog/netskope-threat-coverage-whispergate", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", "https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/", "https://inquest.net/blog/2022/02/10/380-glowspark", "https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://twitter.com/nunohaien/status/1484088885575622657", "https://twitter.com/Libranalysis/status/1483128221956808704", "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://rxored.github.io/post/analysis/whispergate/whispergate/", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html", "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md", "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "https://unit42.paloaltonetworks.com/atoms/ruinousursa/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", "https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/", "https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk", "https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped", "https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/", "https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months", "https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb", "https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground" ], "synonyms": [ "PAYWIPE" ], "type": [] }, "uuid": "6001ed9f-9108-4481-9980-dc6e5c1908a0", "value": "WhisperGate" }, { "description": "According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain \"working_hours\" with a granularity of one minute.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "20286294-3813-4c17-a165-ef12aae64303", "value": "WhiteBird" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt", "https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316", "https://www.checkmal.com/video/read/3605/" ], "synonyms": [ "WARYLOOK" ], "type": [] }, "uuid": "f587a5a2-907e-456c-91e9-74fd997c03b5", "value": "WhiteBlackCrypt" }, { "description": "WhiteSnake Stealer, discovered in February 2022, is a sophisticated .NET data-stealing malware that targets browsers, applications, and crypto wallets.\r\n\r\nThe builder can build payloads in different file formats such as EXE, SCR, COM, CMD, BAT, VBS, PIF, WSF, .hta, MSI, PY, DOC, DOCM, XLS, XLL, XLSM. Some of these (python, bash) allow the malware to run on Linux systems.\r\n\r\nThe stealer has two execution methods:\r\n\r\n* Non-resident - the stealer auto-deletes itself after successful execution\r\n* Resident - the stealer beacons out to the C2 (possibly in the TOR network)\r\n\r\nWhiteSnake Stealer can gather system information, execute remote commands, spread through USB drives, and perform tasks like keylogging, file management, and webcam access. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitesnake", "https://news.drweb.com/show/?i=14823&lng=en&c=5", "https://www.infinitumit.com.tr/en/white-snake-stealer-report/", "https://russianpanda.com/2023/07/04/WhiteSnake-Stealer-Malware-Analysis/", "https://bazaar.abuse.ch/sample/5066eca9c7309af16c882ffae79ceee93d5c8a8bcfe3726455c9b5589a492553/" ], "synonyms": [], "type": [] }, "uuid": "8f5bb3ec-a764-4ef4-a113-532a3d4b82c4", "value": "WhiteSnake Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wikiloader", "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md", "https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion", "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20notepad.md", "https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/", "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md", "https://twitter.com/JAMESWT_MHT/status/1712783250446328114?t=iLKXzsZuS1TTa0i9sZFkQA&s=19", "https://twitter.com/threatinsight/status/1679864625544978432" ], "synonyms": [ "WailingCrab" ], "type": [] }, "uuid": "8dd43a3f-320a-4bdd-8379-b592cd6efc1f", "value": "WikiLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire" ], "synonyms": [], "type": [] }, "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", "value": "WildFire" }, { "description": "Information stealer used by threat actor LuoYu.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer", "https://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_7_leon-niwa-ishimaru_en.pdf", "https://cocomelonc.github.io/book/2023/12/13/malwild-book.html", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", "https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware", "https://blogs.jpcert.or.jp/en/2021/10/windealer.html", "https://securelist.com/windealer-dealing-on-the-side/105946", "https://securelist.com/windealer-dealing-on-the-side/105946/" ], "synonyms": [], "type": [] }, "uuid": "3aa42316-9f3b-457b-9560-99ccf00a45c1", "value": "WinDealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wineloader", "https://twitter.com/SinghSoodeep/status/1763808104221737156", "https://twitter.com/greglesnewich/status/1762549311294804145", "https://www.binarydefense.com/resources/blog/wineloader-analysis-of-the-infection-chain/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2024-CTI-006.pdf", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader", "https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties" ], "synonyms": [], "type": [] }, "uuid": "3e0693b5-cbda-4dea-a7d5-768cc214ac0b", "value": "WINELOADER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wininetloader", "https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf" ], "synonyms": [ "LIDSHOT" ], "type": [] }, "uuid": "5801591a-d6f1-45b1-8abd-718257dd2433", "value": "WinInetLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winlog", "https://github.com/Thibault-69/Keylogger-Windows-----WinLog" ], "synonyms": [], "type": [] }, "uuid": "772099d0-b74a-4a73-9967-f1d40ab3ac92", "value": "winlog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [], "type": [] }, "uuid": "6a100902-7204-4f20-b838-545ed86d4428", "value": "WinMM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf", "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://www.lastline.com/labsblog/helo-winnti-attack-scan/", "https://github.com/TKCERT/winnti-nmap-script", "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf", "https://github.com/TKCERT/winnti-suricata-lua", "http://web.br.de/interaktiv/winnti/english/", "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://attack.mitre.org/groups/G0096", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf", "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "https://securelist.com/games-are-over/70991/", "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", "https://www.youtube.com/watch?v=_fstHQSK-kk", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", "https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf", "https://content.fireeye.com/api/pdfproxy?id=86840", "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", "https://github.com/br-data/2019-winnti-analyse/", "https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.youtube.com/watch?v=YCwyc6SctYs", "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf", "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html", "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/", "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://www.youtube.com/watch?v=qk9XLDBLPXg", "http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf", "https://harfanglab.io/en/insidethelab/isoon-leak-analysis/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", "https://github.com/TKCERT/winnti-detector", "https://github.com/superkhung/winnti-sniff" ], "synonyms": [ "BleDoor", "JUMPALL", "Pasteboy", "RbDoor" ], "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "value": "Winnti (Windows)" }, { "description": "According to ESET Research, this is a payload downloaded by win.wslink. They attribute it with low confidence to Lazarus.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winordll64", "https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/" ], "synonyms": [], "type": [] }, "uuid": "64f7f940-db4c-4569-869b-d282dadf55ac", "value": "WinorDLL64" }, { "description": "WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot", "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/", "https://securelist.com/atm-robber-winpot/89611/", "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/" ], "synonyms": [ "ATMPot" ], "type": [] }, "uuid": "893a1da2-ae35-4877-8cde-3f532543af36", "value": "WinPot" }, { "description": "Backdoor used in the EvilPlayout campaign against Iran's State Broadcaster.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winscreeny", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/" ], "synonyms": [], "type": [] }, "uuid": "b45a1776-11a8-4ac9-9714-33cb17709166", "value": "WinScreeny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [], "type": [] }, "uuid": "db755407-4135-414c-90e3-97f5e48c6065", "value": "Winsloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://docs.broadcom.com/doc/waterbug-attack-group" ], "synonyms": [ "Epic", "Tavdig" ], "type": [] }, "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", "value": "Wipbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", "https://secrary.com/ReversingMalware/WMIGhost/", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [ "Syndicasec", "Wimmie" ], "type": [] }, "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", "value": "WMI Ghost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", "value": "WndTest" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", "https://unit42.paloaltonetworks.com/atoms/iron-taurus/" ], "synonyms": [], "type": [] }, "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", "value": "Wonknu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" ], "synonyms": [], "type": [] }, "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", "value": "woody" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woodyrat", "https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/" ], "synonyms": [], "type": [] }, "uuid": "9828a0ad-bb48-4cb5-b4f4-9b4133fa044f", "value": "Woody RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" ], "synonyms": [ "WoolenLogger" ], "type": [] }, "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", "value": "Woolger" }, { "description": "Information Stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.worldwind", "https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed", "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/" ], "synonyms": [], "type": [] }, "uuid": "ebeca38e-0855-46e1-b46c-95405917231e", "value": "WorldWind" }, { "description": "WORMHOLE is a TCP tunneler that is dynamically configurable from a C&C server and can communicate with an additional remote machine endpoint for a relay.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", "https://content.fireeye.com/apt/rpt-apt38", "https://securelist.com/lazarus-under-the-hood/77908/" ], "synonyms": [], "type": [] }, "uuid": "c1bff74d-873d-41ad-9f76-b341e6fe5cb9", "value": "WORMHOLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormlocker", "https://twitter.com/Kangxiaopao/status/1355056807924797440" ], "synonyms": [ "WormLckr" ], "type": [] }, "uuid": "4cc30b46-53c0-45c4-8847-e3b228bf8d7b", "value": "WormLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot", "https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites" ], "synonyms": [], "type": [] }, "uuid": "454e0737-98d6-499a-8562-1adf5c081d0d", "value": "WpBruteBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl", "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] }, "uuid": "62fd2b30-55b6-474a-8d72-31e492357d11", "value": "WSCSPL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink", "https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf", "https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/", "https://twitter.com/darienhuss/status/1453342652682981378" ], "synonyms": [ "FinickyFrogfish" ], "type": [] }, "uuid": "63fc32b0-3017-418c-b00a-ae20205e9c90", "value": "Wslink" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.x4", "https://www.gradiant.org/noticia/analysis-malware-cve-2017/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage" ], "synonyms": [], "type": [] }, "uuid": "107341e7-e045-4798-9fab-16691e86bc58", "value": "x4" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "synonyms": [ "chopstick", "splm" ], "type": [] }, "uuid": "e8b38fbd-a7ce-4073-a660-44dfabc1b678", "value": "X-Agent (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" ], "synonyms": [], "type": [] }, "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", "value": "XBot POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" ], "synonyms": [], "type": [] }, "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", "value": "XBTL" }, { "description": "Checkpoint Research found this backdoor, attributed to IndigoZebra, used to target Afghan and other Central-Asia countries, including Kyrgyzstan and Uzbekistan, since at least 2014.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xcaon", "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" ], "synonyms": [], "type": [] }, "uuid": "2c150ebc-8fdf-4324-96cd-d6b0c0087d55", "value": "xCaon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdata", "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/" ], "synonyms": [ "AESNI" ], "type": [] }, "uuid": "2fa666de-cab2-4c25-aa65-e5d162a979c9", "value": "XData" }, { "description": "According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy", "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://github.com/eset/malware-ioc/tree/master/xdspy/", "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf" ], "synonyms": [], "type": [] }, "uuid": "2cf836f5-b88a-417d-b3c6-ab2580fea6ad", "value": "XDSpy" }, { "description": "Xehook is a .NET-based malware targeting Windows systems. It collects data from Chromium and Gecko browsers, supporting over 110 cryptocurrencies and 2FA extensions. CRIL found a potential link between Xehook Stealer, Agniane, and the Cinoshi project, suggesting a progression from a free MaaS model to the development of Xehook Stealer. SmokeLoader binaries were identified as a common vector for distributing Xehook Stealer. Xehook Stealer shares code overlaps with Agniane Stealer, indicating an evolutionary relationship.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xehook", "https://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/" ], "synonyms": [], "type": [] }, "uuid": "93780092-2007-49df-8d14-2701ae5a4c57", "value": "XehookStealer" }, { "description": "XenArmor is a suite of password recovery tools for various applications that have been observed to be abused in attacks alongside malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xenarmor", "https://xenarmor.com/" ], "synonyms": [ "XenArmor Suite" ], "type": [] }, "uuid": "79fd77ba-4b40-4354-820a-16662edba41d", "value": "XenArmor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xenon", "https://twitter.com/3xp0rtblog/status/1331974232192987142" ], "synonyms": [], "type": [] }, "uuid": "09fd85b1-6fc9-45af-a37e-732b5fc6447b", "value": "Xenon Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat", "https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/", "https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github", "https://github.com/moom825/xeno-rat" ], "synonyms": [], "type": [] }, "uuid": "77f922e2-3787-4564-ba68-333ea3b948ba", "value": "XenoRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfilesstealer", "https://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study", "https://twitter.com/3xp0rtblog/status/1473323635469438978", "https://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/" ], "synonyms": [], "type": [] }, "uuid": "4e980ff8-20f2-4b3f-bad8-763321932b99", "value": " X-Files Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm", "https://twitter.com/VK_Intel/status/1149454961740255232", "https://twitter.com/r3c0nst/status/1149043362244308992" ], "synonyms": [], "type": [] }, "uuid": "e78a2a31-8c20-4493-b854-c708e81b3f41", "value": "XFSADM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr", "https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/", "https://twitter.com/r3c0nst/status/1166773324548063232" ], "synonyms": [], "type": [] }, "uuid": "ba99edf0-1603-4f54-8fa9-18852417d0fc", "value": "XFSCashNCR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiangoop", "https://hitcon.org/2024/CMT/slides/Pirates_of_The_Nang_Hai_Follow_the_Artifacts_of_Tropic_Trooper,_No_One_Knows.pdf", "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/" ], "synonyms": [], "type": [] }, "uuid": "b61903a1-51e6-493c-885f-6ffda99371ea", "value": "Xiangoop" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba", "https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html" ], "synonyms": [ "FlyStudio" ], "type": [] }, "uuid": "e839ae61-616c-4234-8edb-36b48040e5af", "value": "XiaoBa" }, { "description": "According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called \"bundling\".\r\n\r\nIn most cases, \"bundling\" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig", "https://gridinsoft.com/xmrig", "https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/", "https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure" ], "synonyms": [], "type": [] }, "uuid": "88efd461-03dd-42eb-976c-5e9fe403fce6", "value": "xmrig" }, { "description": "According to PCrisk, Xorist is a family of ransomware-type malware. After stealth system infiltration, ransomware from this family encrypts various files stored on the computer. After encrypting the files, this ransomware creates a 'How to Decrypt Files.txt text file on the victim's desktop. The file contains a message stating that the files can only be restored by paying a ransom.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xorist", "https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants" ], "synonyms": [], "type": [] }, "uuid": "029369aa-9e88-4e98-8fda-ca29a873acc5", "value": "Xorist" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp10", "https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html" ], "synonyms": [ "FakeChrome Ransomware" ], "type": [] }, "uuid": "6aa7047f-7dfa-4a10-b515-853c3795db69", "value": "XP10" }, { "description": "Symantec describes this as a decryptor/loader used by Chinese threat actor Antlion in campaigns targeting Taiwan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack", "https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html", "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" ], "synonyms": [ "NERAPACK" ], "type": [] }, "uuid": "f87a348e-fa1f-4c90-8b46-ef382868d043", "value": "xPack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/", "https://securelist.com/blog/research/78110/xpan-i-am-your-father/" ], "synonyms": [], "type": [] }, "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", "value": "Xpan" }, { "description": "Incorporates code of Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis", "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/" ], "synonyms": [ "Expectra" ], "type": [] }, "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", "value": "XPCTRA" }, { "description": "According to PCrisk, XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. Typically, users download and install this software inadvertently because they are tricked. By having computers infected with malware such as XpertRAT, users can experience serious problems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration", "https://labs.k7computing.com/?p=15672" ], "synonyms": [], "type": [] }, "uuid": "d03cb3af-2a01-4e46-859a-6b61f3ec3c68", "value": "XpertRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" ], "synonyms": [], "type": [] }, "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", "value": "XP PrivEsc (CVE-2014-4076)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xserver", "https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf", "https://norfolkinfosec.com/filesnfer-tool-c-python/" ], "synonyms": [ "Filesnfer" ], "type": [] }, "uuid": "b895ec07-19f7-4131-87c0-fc713fff2351", "value": "XServer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "nokian" ], "type": [] }, "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", "value": "xsPlus" }, { "description": "X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "Shunnael", "X-Tunnel", "xaps" ], "type": [] }, "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", "value": "XTunnel" }, { "description": "This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net", "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28" ], "synonyms": [], "type": [] }, "uuid": "000e25a4-4623-4afc-883d-ecc15be8f9d0", "value": "X-Tunnel (.NET)" }, { "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", "https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner" ], "synonyms": [], "type": [] }, "uuid": "8a57cd75-4572-47c2-b5ef-55df978258de", "value": "Xwo" }, { "description": "Malware with wide range of capabilities ranging from RAT to ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm", "https://youtu.be/ln23TT9PcmI", "https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/", "https://youtu.be/tenNFzM-MM0", "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/", "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://www.youtube.com/watch?v=tenNFzM-MM0", "https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1", "https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/", "https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/", "https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/", "https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb", "https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/", "https://securityintelligence.com/x-force/hive0137-on-ai-journey/", "https://x.com/embee_research/status/1694635899903152619", "https://cert.pl/en/posts/2023/10/deworming-the-xworm/", "https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/" ], "synonyms": [], "type": [] }, "uuid": "a5a05a52-5267-4baf-b4a3-366409b46721", "value": "XWorm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", "https://www.secureworks.com/research/threat-profiles/bronze-butler", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf", "https://www.macnica.net/mpressioncss/feature_05.html/", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors" ], "synonyms": [ "ShadowWalker" ], "type": [] }, "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", "value": "xxmm" }, { "description": "The author of X-ZIGZAG claims that it is a lightweight and stealthy Windows Remote Access Trojan (RAT) designed for educational purposes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.x_zigzag", "https://github.com/X-ZIGZAG/X-ZIGZAG", "https://www.linkedin.com/feed/update/urn:li:activity:7252248385007603713/" ], "synonyms": [], "type": [] }, "uuid": "a9f3ab12-4d4d-4904-a4b6-d8b48d4e4ac2", "value": "X-ZIGZAG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [ "KeyBoy" ], "type": [] }, "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "value": "Yahoyah" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware", "https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html" ], "synonyms": [ "Teslarvng Ransomware" ], "type": [] }, "uuid": "0308eff9-1e8c-434e-b551-40f0ceb7dc0e", "value": "Yakuza" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yamabot", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html?m=1", "https://www.youtube.com/watch?v=nUjxH1gW53s" ], "synonyms": [ "Kaos" ], "type": [] }, "uuid": "56243aaa-449e-4c0d-bb51-3f0b6294ec7d", "value": "YamaBot" }, { "description": "According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the \"README.txt\" file containing a ransom note. It appends the \".yanluowang\" extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.\r\n\r\nFiles encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang", "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/", "https://twitter.com/CryptoInsane/status/1586967110504398853", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/", "https://de.darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics", "https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/", "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html" ], "synonyms": [ "Dryxiphia" ], "type": [] }, "uuid": "4bc19ce2-e169-4f9f-aabf-ec7fc6a75d12", "value": "Yanluowang" }, { "description": "According to PTSecurity, this RAT uses Yandex Disk as a C2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarat", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks" ], "synonyms": [], "type": [] }, "uuid": "62fd30bc-1af6-40cc-a363-bb6aa85433cb", "value": "YaRAT" }, { "description": "Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarraq", "https://twitter.com/GrujaRS/status/1210541690349662209", "https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview" ], "synonyms": [], "type": [] }, "uuid": "3bba089d-cd27-465c-8c40-2ff9ff0316c6", "value": "Yarraq" }, { "description": "According to Palo Alto Networks, Yasso is an open source multi-platform intranet-assisted penetration toolset that brings together a number of features such as scanning, brute forcing, remote interactive shell, and running arbitrary commands. It is authored by a Mandarin-speaking pentester nicknamed Sairson.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yasso", "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/" ], "synonyms": [], "type": [] }, "uuid": "d58a18e8-e866-42df-a315-a1f72d2c26aa", "value": "Yasso" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yatron", "https://securelist.com/ransomware-two-pieces-of-good-news/93355/" ], "synonyms": [], "type": [] }, "uuid": "710a27e6-0f17-4fa7-bcb9-e130fcb1ee7f", "value": "Yatron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "synonyms": [ "aumlib", "bbsinfo" ], "type": [] }, "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", "value": "yayih" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yellow_cockatoo", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://redcanary.com/blog/yellow-cockatoo/" ], "synonyms": [ "Polazer" ], "type": [] }, "uuid": "f1d49672-b857-4ad6-887f-f2bf2bc7c641", "value": "Yellow Cockatoo RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yoddos", "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf" ], "synonyms": [], "type": [] }, "uuid": "8d67586f-3390-474b-a81e-8be90833f25f", "value": "Yoddos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yorekey", "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals", "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf" ], "synonyms": [], "type": [] }, "uuid": "cf9b5867-77db-423d-9bdf-cfc0d24d39c9", "value": "YoreKey" }, { "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", "https://www.youtube.com/watch?v=AUGxYhE_CUY" ], "synonyms": [ "DarkShare" ], "type": [] }, "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", "value": "YoungLotus" }, { "description": "According to Trend Micro, this is a ransomware written as a Windows commandline script, with obfuscation applied.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.your_cyanide", "https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html" ], "synonyms": [ "GonnaCope", "Kekpop", "Kekware" ], "type": [] }, "uuid": "4a9b8725-2d17-4601-adb4-67de607808d7", "value": "YourCyanide" }, { "description": "According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it’s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer", "https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" ], "synonyms": [], "type": [] }, "uuid": "302854bd-0e03-422c-8b79-54200c7d02ea", "value": "YTStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", "https://www.secureworks.com/research/threat-profiles/zinc-emerson", "https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf", "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/", "http://blog.ptsecurity.com/2019/11/studying-donot-team.html" ], "synonyms": [], "type": [] }, "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", "value": "yty" }, { "description": "W32/Yunsip!tr.pws is classified as a password stealing trojan.\r\nPassword Stealing Trojan searches the infected system for passwords and send them to the hacker.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yunsip", "https://www.fortiguard.com/encyclopedia/virus/3229143" ], "synonyms": [], "type": [] }, "uuid": "1f8755ac-3dcc-43bd-a07f-cf0fbf2cdb7d", "value": "Yunsip" }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.z3", "https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html" ], "synonyms": [ "Z3enc Ransomware" ], "type": [] }, "uuid": "3eb96cd0-2d00-45a8-a0a4-54663cc70ab9", "value": "Z3" }, { "description": "Bitdefender describes the primary features of the family as follows: Presence of a rootkit driver that protects itself as well as its other components, presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications, and presence of an adware cleanup routine used to remove potential competition in the adware space. It also communicates with its C&C server, sending environment information such as installed AV and other applications. The malware also takes screenshots and does browser redirects, potentially manipulating the DOM tree. It also creates traffic in hidden windows, likely causing adfraud. The malware is generally very configurable and internally makes use of Lua scripts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zacinlo", "https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/" ], "synonyms": [ "s5mark" ], "type": [] }, "uuid": "5041fed8-25a2-4da2-b2ab-db2364cc064f", "value": "Zacinlo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zardoor", "https://blog.talosintelligence.com/new-zardoor-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "e4f7e46a-65b8-4d17-b4d8-a2f8b2047c22", "value": "ZarDoor" }, { "description": "According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.\r\n\r\nThis malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/", "https://meltx0r.github.io/tech/2019/10/24/apt28.html", "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/", "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/", "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", "https://securelist.com/a-zebrocy-go-downloader/89419/", "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://brandefense.io/zebrocy-malware-technical-analysis-report/", "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/" ], "synonyms": [ "Zekapab" ], "type": [] }, "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", "value": "Zebrocy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "synonyms": [], "type": [] }, "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", "value": "Zebrocy (AutoIT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" ], "synonyms": [], "type": [] }, "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", "value": "Zedhou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zenar", "https://twitter.com/3xp0rtblog/status/1387996083712888832?s=20" ], "synonyms": [], "type": [] }, "uuid": "7502f293-0b7f-417f-a13a-1c71dadc5ccc", "value": "zenar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus", "https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/" ], "synonyms": [], "type": [] }, "uuid": "92e89ff1-eae9-4d71-9031-80cca544952e", "value": "Zeoticus" }, { "description": "Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin", "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://community.riskiq.com/article/47766fbd", "https://www.cisa.gov/uscert/ncas/alerts/aa22-223a", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-223A_Zeppelin_CSA.pdf", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/", "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html", "https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [], "type": [] }, "uuid": "5587d163-d5ec-43fc-8071-7e7cd1002ba7", "value": "Zeppelin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" ], "synonyms": [ "Max++", "Sirefef", "Smiscer" ], "type": [] }, "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", "value": "ZeroAccess" }, { "description": "ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government", "https://www.ibm.com/downloads/cas/OAJ4VZNJ", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [], "type": [] }, "uuid": "a7e1429f-55bd-41ac-bf45-70c93465d113", "value": "ZeroCleare" }, { "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" ], "synonyms": [], "type": [] }, "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", "value": "ZeroEvil" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerolocker", "http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "b226e6bb-b8bf-4c5d-b0b3-c7c04d12679a", "value": "ZeroLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeropadypt", "https://www.pcrisk.com/removal-guides/16844-harma-ouroboros-ransomware" ], "synonyms": [ "Ouroboros" ], "type": [] }, "uuid": "b8f99ed3-5669-4c71-b217-e92659a6e6bd", "value": "Zeropadypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" ], "synonyms": [], "type": [] }, "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", "value": "ZeroT" }, { "description": "According to CrowdStrike, The two primary goals of the Zeus trojan horse virus are stealing people's financial information and adding machines to a botnet. Unlike many types of malware, most Zeus variants try to avoid doing long-term damage to the devices they infect. Their aim is to avoid detection from antivirus software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html", "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf", "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", "https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/", "https://www.justice.gov/opa/pr/foreign-national-pleads-guilty-role-cybercrime-schemes-involving-tens-millions-dollars", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", "http://eternal-todo.com/blog/detecting-zeus", "http://eternal-todo.com/blog/zeus-spreading-facebook", "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "http://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.crowdstrike.com/cybersecurity-101/malware/trojan-zeus-malware", "https://www.s21sec.com/en/zeus-the-missing-link/", "https://www.mnin.org/write/ZeusMalware.pdf", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", "https://www.nrc.nl/nieuws/2021/04/02/the-cesspool-of-the-internet-is-to-be-found-in-a-village-in-north-holland-a4038369", "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/", "https://www.secureworks.com/research/zeus?threat=zeus", "http://eternal-todo.com/blog/new-zeus-binary", "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", "https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/", "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals" ], "synonyms": [ "Zbot" ], "type": [] }, "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", "value": "Zeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action", "https://twitter.com/benkow_/status/1136983062699487232", "https://www.youtube.com/watch?v=EyDiIAt__dI" ], "synonyms": [], "type": [] }, "uuid": "95057d7a-b95a-4173-bae7-9256ae002543", "value": "ZeusAction" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" ], "synonyms": [], "type": [] }, "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", "value": "Zeus MailSniffer" }, { "description": "This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.\r\n\r\nIn June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.\r\nIn January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/" ], "synonyms": [ "XSphinx" ], "type": [] }, "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", "value": "Zeus OpenSSL" }, { "description": "This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", "https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/", "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html" ], "synonyms": [], "type": [] }, "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", "value": "Zeus Sphinx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", "https://twitter.com/siri_urz/status/923479126656323584" ], "synonyms": [], "type": [] }, "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", "value": "Zezin" }, { "description": "zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.\r\nUsually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat", "https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities", "https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US", "https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/", "https://bazaar.abuse.ch/browse/signature/zgRAT/", "https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware" ], "synonyms": [], "type": [] }, "uuid": "0c3ea882-72a7-4838-b79a-150be30b6a36", "value": "zgRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", "value": "ZhCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf" ], "synonyms": [], "type": [] }, "uuid": "989330e9-52da-4489-888b-686429db3a45", "value": "ZhMimikatz" }, { "description": "An information stealer written in .NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zingo_stealer", "https://blog.talosintelligence.com/haskers-gang-zingostealer/", "https://blogs.blackberry.com/en/2022/05/threat-thursday-zingostealer", "https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware" ], "synonyms": [ "Ginzo" ], "type": [] }, "uuid": "3984dfa1-45dc-4c19-92ca-3b90b89c8c62", "value": "ZingoStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo", "https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/", "https://mobisec.reyammer.io/slides" ], "synonyms": [ "ZeuS-in-the-Mobile" ], "type": [] }, "uuid": "6f08bd79-d22a-471c-882b-f68a42eb4a23", "value": "ZitMo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "c23aac20-4987-4c15-af63-7043026c5f82", "value": "ZiyangRAT" }, { "description": "This family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\n\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/", "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/", "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", "https://twitter.com/ffforward/status/1324281530026524672", "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", "https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks", "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://labs.k7computing.com/?p=22458", "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://blog.vincss.net/re026-a-deep-dive-into-zloader-the-silent-night/", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance", "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://johannesbader.ch/blog/the-dga-of-zloader/", "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt", "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed", "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", "https://noticeofpleadings.com/zloader/", "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://labs.k7computing.com/index.php/zloader-strikes-back/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.youtube.com/watch?v=QBoj6GB79wM", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf", "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://blogs.quickheal.com/zloader-entailing-different-office-files/", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850", "https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night", "https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/", "https://www.youtube.com/watch?v=mhX-UoaYnOM", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/", "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns", "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/", "https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight", "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", "https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader", "https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/", "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/", "https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html", "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/", "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/", "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", "https://blog.alyac.co.kr/3322", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems", "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/", "https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/", "https://twitter.com/VK_Intel/status/1294320579311435776", "https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/" ], "synonyms": [ "DELoader", "SILENTNIGHT", "Terdot" ], "type": [] }, "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", "value": "Zloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob", "https://en.wikipedia.org/wiki/Zlob_trojan", "https://blag.nullteilerfrei.de/2020/08/23/programmatically-nop-the-current-selection-in-ghidra/" ], "synonyms": [], "type": [] }, "uuid": "ddccba7e-89f3-4b51-803c-e473ca5623da", "value": "Zlob" }, { "description": "Information Stealer used by Void Balaur.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zstealer", "https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf", "https://twitter.com/Arkbird_SOLG/status/1458973883068043264" ], "synonyms": [ "Z*Stealer" ], "type": [] }, "uuid": "750c4f21-36b0-45b7-80d5-e6c9fdf5134d", "value": "ZStealer" }, { "description": "According to ESET, this malware family was active exclusively in Brazil until the middle of 2020. It s identified by its method for obfuscating strings. It creates a function for each character of the alphabet and then concatenates the result of calling the correct functions in sequence.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek", "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/", "https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/" ], "synonyms": [], "type": [] }, "uuid": "2fde6fa9-6e3f-491f-95f7-107b41efacd8", "value": "Zumanek" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdater", "https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/" ], "synonyms": [ "Zpevdo" ], "type": [] }, "uuid": "36a54d23-39ea-446c-b690-6a899890773d", "value": "ZUpdater" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdax", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf" ], "synonyms": [], "type": [] }, "uuid": "0a0b04d4-afc7-4135-b71e-1148f965b566", "value": "Zupdax" }, { "description": "According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", "https://risky.biz/whatiswinnti/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://attack.mitre.org/groups/G0096", "https://blogs.cisco.com/security/talos/opening-zxshell", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor", "https://lab52.io/blog/apt27-rootkit-updates/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", "https://attack.mitre.org/groups/G0001/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", "https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw", "https://github.com/smb01/zxshell", "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox" ], "synonyms": [ "Sensocode" ], "type": [] }, "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", "value": "ZXShell" }, { "description": "Cisco Talos attributes this backdoor with moderate confidence to the Bitter APT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxxz", "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/" ], "synonyms": [ "MuuyDownloader" ], "type": [] }, "uuid": "3782b76b-3fe8-41d9-b258-dac25f9699a2", "value": "ZxxZ" }, { "description": "According to FireEye, Zyklon or Zyklon HTTP is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", "https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html", "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html" ], "synonyms": [], "type": [] }, "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", "value": "Zyklon" } ], "version": 21776 }