{ "values": [ { "value": "PlugX", "description": "Malware" }, { "value": "MSUpdater" }, { "value": "Poison Ivy", "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", "refs": ["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"] }, { "value": "Torn RAT" }, { "value": "ZeGhost" }, { "value": "Elise Backdoor", "synonyms": ["Elise"] }, { "value": "Lstudio" }, { "value": "Joy RAT" }, { "value": "Sakula", "synonyms": ["Sakurel"] }, { "value": "Derusbi" }, { "value": "EvilGrab" }, { "value": "IEChecker" }, { "value": "Trojan.Naid" }, { "value": "Backdoor.Moudoor" }, { "value": "NetTraveler" }, { "value": "Winnti" }, { "value": "Mimikatz" }, { "value": "WEBC2" }, { "value": "Pirpi" }, { "value": "RARSTONE" }, { "value": "BACKSPACe" }, { "value": "XSControl" }, { "value": "NETEAGLE" }, { "value": "Agent.BTZ", "synonyms": ["ComRat"] }, { "value": "Heseber BOT", "description": "RAT bundle with standard VNC (to avoid/limit A/V detection)." }, { "value": "Agent.dne" }, { "value": "Wipbot" }, { "value": "Turla" }, { "value": "Uroburos" }, { "value": "Winexe" }, { "value": "Dark Comet", "description": "RAT initialy identified in 2011 and still actively used." }, { "value": "AlienSpy", "description": "RAT for Apple OS X platforms" }, { "value": "Gh0st Rat", "description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.", "synonyms": ["Gh0stRat, GhostRat"], "refs": ["http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf"] }, { "value": "Fakem RAT", "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ", "synonyms": ["FAKEM"], "refs": ["http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf"] }, { "value": "MFC Huner", "synonyms": ["Hupigon", "BKDR_HUPIGON"], "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/"] }, { "value": "Blackshades", "description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.", "refs": ["https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection","https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/"] }, { "value": "CORESHELL" }, { "value": "CHOPSTICK" }, { "value": "SOURFACE" }, { "value": "OLDBAIT" }, { "value": "Havex RAT", "synonyms": ["Havex"] }, { "value": "KjW0rm", "description": "RAT initially written in VB.", "refs": ["https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/"] }, { "value": "LURK" }, { "value": "Oldrea" }, { "value": "AmmyAdmin" }, { "value": "Matryoshka" }, { "value": "TinyZBot" }, { "value": "GHOLE" }, { "value": "CWoolger" }, { "value": "FireMalv" }, { "value": "Regin" }, { "value": "Duqu" }, { "value": "Flame" }, { "value": "Stuxnet" }, { "value": "EquationLaser" }, { "value": "EquationDrug" }, { "value": "DoubleFantasy" }, { "value": "TripleFantasy" }, { "value": "Fanny" }, { "value": "GrayFish" }, { "value": "Babar" }, { "value": "Bunny" }, { "value": "Casper" }, { "value": "NBot" }, { "value": "Tafacalou" }, { "value": "Tdrop" }, { "value": "Troy" }, { "value": "Tdrop2" } ], "version" : 1, "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": ["Alexandre Dulaunoy", "Florian Roth"], "type": "threat-actor-tools" }