{ "nbformat": 4, "nbformat_minor": 0, "metadata": { "colab": { "provenance": [], "authorship_tag": "ABX9TyOFSmnINQ4YRBroomWdb+/2", "include_colab_link": true }, "kernelspec": { "name": "python3", "display_name": "Python 3" }, "language_info": { "name": "python" } }, "cells": [ { "cell_type": "markdown", "metadata": { "id": "view-in-github", "colab_type": "text" }, "source": [ "\"Open" ] }, { "cell_type": "code", "execution_count": 1, "metadata": { "colab": { "base_uri": "https://localhost:8080/" }, "id": "FqtblfJbEQMa", "outputId": "1492cb1c-c088-481c-fef4-24d038d246cf" }, "outputs": [ { "output_type": "stream", "name": "stdout", "text": [ "Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/\n", "Collecting PyMISPGalaxies\n", " Downloading pymispgalaxies-0.3-py3-none-any.whl (4.9 MB)\n", "\u001b[2K \u001b[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m4.9/4.9 MB\u001b[0m \u001b[31m43.5 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n", "\u001b[?25hCollecting jsonschema<5.0.0,>=4.17.3\n", " Downloading jsonschema-4.17.3-py3-none-any.whl (90 kB)\n", "\u001b[2K \u001b[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\u001b[0m \u001b[32m90.4/90.4 kB\u001b[0m \u001b[31m10.9 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n", "\u001b[?25hRequirement already satisfied: attrs>=17.4.0 in /usr/local/lib/python3.9/dist-packages (from jsonschema<5.0.0,>=4.17.3->PyMISPGalaxies) (23.1.0)\n", "Requirement already satisfied: pyrsistent!=0.17.0,!=0.17.1,!=0.17.2,>=0.14.0 in /usr/local/lib/python3.9/dist-packages (from jsonschema<5.0.0,>=4.17.3->PyMISPGalaxies) (0.19.3)\n", "Installing collected packages: jsonschema, PyMISPGalaxies\n", " Attempting uninstall: jsonschema\n", " Found existing installation: jsonschema 4.3.3\n", " Uninstalling jsonschema-4.3.3:\n", " Successfully uninstalled jsonschema-4.3.3\n", "Successfully installed PyMISPGalaxies-0.3 jsonschema-4.17.3\n" ] } ], "source": [ "%pip install PyMISPGalaxies" ] }, { "cell_type": "code", "source": [ "from pymispgalaxies import Clusters" ], "metadata": { "id": "Gy_cjV42Faj-" }, "execution_count": 2, "outputs": [] }, { "cell_type": "markdown", "source": [ "To Choose a cluster, the name of cluster is the name of file in , here we use malpedia" ], "metadata": { "id": "Z_FZERTPMV0s" } }, { "cell_type": "code", "source": [ "cluster_malpedia = Clusters().get('malpedia') #corresponding to https://github.com/MISP/misp-galaxy/clusters/malpedia.json\n", "cluster_malpedia" ], "metadata": { "id": "pmsFAlTsFr_Q" }, "execution_count": null, "outputs": [] }, { "cell_type": "markdown", "source": [ "To access in a entry json like Zeus:\n", "\n", "```\n", "{\n", " \"description\": \"\",\n", " \"meta\": {\n", " \"refs\": [\n", " \"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus\",\n", " \"https://securelist.com/financial-cyberthreats-in-2020/101638/\",\n", " \"https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/\",\n", " \"http://eternal-todo.com/blog/detecting-zeus\",\n", " \"https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite\",\n", " \"http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\",\n", " \"https://www.youtube.com/watch?v=LUxOcpIRxmg\",\n", " \"https://www.secureworks.com/research/threat-profiles/bronze-woodland\",\n", " \"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf\",\n", " \"https://www.mnin.org/write/ZeusMalware.pdf\",\n", " \"https://www.secureworks.com/research/zeus?threat=zeus\",\n", " \"https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/\",\n", " \"https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/\",\n", " \"https://us-cert.cisa.gov/ncas/alerts/aa20-345a\",\n", " \"http://eternal-todo.com/blog/new-zeus-binary\",\n", " \"https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\",\n", " \"http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html\",\n", " \"https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/\",\n", " \"https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf\",\n", " \"http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html\",\n", " \"https://www.wired.com/2017/03/russian-hacker-spy-botnet/\",\n", " \"http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html\",\n", " \"http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html\",\n", " \"https://www.secureworks.com/research/threat-profiles/gold-evergreen\",\n", " \"http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html\",\n", " \"https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\",\n", " \"https://nakedsecurity.sophos.com/2010/07/24/sample-run/\",\n", " \"https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals\",\n", " \"http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html\",\n", " \"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf\",\n", " \"https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20\",\n", " \"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf\",\n", " \"https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group\",\n", " \"https://www.s21sec.com/en/zeus-the-missing-link/\",\n", " \"http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html\",\n", " \"http://eternal-todo.com/blog/zeus-spreading-facebook\",\n", " \"https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf\",\n", " \"http://www.secureworks.com/research/threat-profiles/gold-evergreen\",\n", " \"https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf\"\n", " ],\n", " \"synonyms\": [\n", " \"Zbot\"\n", " ],\n", " \"type\": []\n", " },\n", " \"uuid\": \"4e8c1ab7-2841-4823-a5d1-39284fb0969a\",\n", " \"value\": \"Zeus\"\n", " }\n", " ```" ], "metadata": { "id": "xf3vTuWsNzF6" } }, { "cell_type": "code", "source": [ "zeus = cluster_malpedia.cluster_values['Zeus']\n", "zeus.to_dict()" ], "metadata": { "colab": { "base_uri": "https://localhost:8080/" }, "id": "2dVS64R9Nxwu", "outputId": "7ebb7915-c981-4814-e7cb-b4ba96aa409f" }, "execution_count": 8, "outputs": [ { "output_type": "execute_result", "data": { "text/plain": [ "{'value': 'Zeus',\n", " 'uuid': '4e8c1ab7-2841-4823-a5d1-39284fb0969a',\n", " 'meta': }" ] }, "metadata": {}, "execution_count": 8 } ] }, { "cell_type": "markdown", "source": [ "To access at metadata" ], "metadata": { "id": "SHmE7qcDPBcF" } }, { "cell_type": "code", "source": [ "zeus.meta.to_dict()" ], "metadata": { "colab": { "base_uri": "https://localhost:8080/" }, "id": "-T6MYOzJOrVF", "outputId": "bc22b364-a1a0-470e-d4ab-8e833e81753a" }, "execution_count": 9, "outputs": [ { "output_type": "execute_result", "data": { "text/plain": [ "{'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus',\n", " 'https://securelist.com/financial-cyberthreats-in-2020/101638/',\n", " 'https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/',\n", " 'http://eternal-todo.com/blog/detecting-zeus',\n", " 'https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite',\n", " 'http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html',\n", " 'https://www.youtube.com/watch?v=LUxOcpIRxmg',\n", " 'https://www.secureworks.com/research/threat-profiles/bronze-woodland',\n", " 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf',\n", " 'https://www.mnin.org/write/ZeusMalware.pdf',\n", " 'https://www.secureworks.com/research/zeus?threat=zeus',\n", " 'https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/',\n", " 'https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/',\n", " 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a',\n", " 'http://eternal-todo.com/blog/new-zeus-binary',\n", " 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html',\n", " 'http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html',\n", " 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/',\n", " 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf',\n", " 'http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html',\n", " 'https://www.wired.com/2017/03/russian-hacker-spy-botnet/',\n", " 'http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html',\n", " 'http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html',\n", " 'https://www.secureworks.com/research/threat-profiles/gold-evergreen',\n", " 'http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html',\n", " 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree',\n", " 'https://nakedsecurity.sophos.com/2010/07/24/sample-run/',\n", " 'https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals',\n", " 'http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html',\n", " 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf',\n", " 'https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20',\n", " 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf',\n", " 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group',\n", " 'https://www.s21sec.com/en/zeus-the-missing-link/',\n", " 'http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html',\n", " 'http://eternal-todo.com/blog/zeus-spreading-facebook',\n", " 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf',\n", " 'http://www.secureworks.com/research/threat-profiles/gold-evergreen',\n", " 'https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf'],\n", " 'synonyms': ['Zbot']}" ] }, "metadata": {}, "execution_count": 9 } ] }, { "cell_type": "markdown", "source": [ "To list all entries, with metadata" ], "metadata": { "id": "Tq96ubMoPWoV" } }, { "cell_type": "code", "source": [ "for name,cluster_value in cluster_malpedia.cluster_values.items():\n", " obj_dict = cluster_value.to_dict()\n", " if 'meta' in obj_dict:\n", " meta = obj_dict['meta'].to_dict()\n", " print(name, meta)" ], "metadata": { "colab": { "base_uri": "https://localhost:8080/" }, "id": "rWcAjS6ZPVn_", "outputId": "ac25600c-fdd7-460c-835d-c6d6b4bfda60" }, "execution_count": 10, "outputs": [ { "output_type": "stream", "name": "stdout", "text": [ "FastCash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://github.com/fboldewin/FastCashMalwareDissected/', 'https://www.cisa.gov/uscert/ncas/alerts/TA18-275A', 'https://www.cisa.gov/uscert/ncas/alerts/aa20-239a', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.youtube.com/watch?v=zGvQPtejX9w', 'https://www.us-cert.gov/ncas/alerts/TA18-275A', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html', 'https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware', 'https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware']}\n", "888 RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat', 'https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/']}\n", "Aberebot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot', 'https://twitter.com/_icebre4ker_/status/1460527428544176128', 'https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/', 'https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes', 'https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/', 'https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord'], 'synonyms': ['Escobar']}\n", "AbstractEmu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.abstract_emu', 'https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign']}\n", "ActionSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/', 'https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/', 'https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html'], 'synonyms': ['AxeSpy']}\n", "AdoBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.adobot', 'https://twitter.com/LukasStefanko/status/1243198756981559296', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord']}\n", "AdultSwine {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine', 'https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/']}\n", "AhMyth {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth', 'https://securelist.com/transparent-tribe-part-2/98233/', 'https://www.secrss.com/articles/24995', 'https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/', 'https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset']}\n", "Alien {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien', 'https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html', 'https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html', 'https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets', 'https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/', 'https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/', 'https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/', 'https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing', 'https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/', 'https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf'], 'synonyms': ['AlienBot']}\n", "AmpleBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.amplebot', 'https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html', 'https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html', 'https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html'], 'synonyms': ['BlackRock']}\n", "Anatsa {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa', 'https://twitter.com/_icebre4ker_/status/1416409813467156482', 'https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html', 'https://gbhackers.com/teabot-banking-trojan/', 'https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/', 'https://twitter.com/ThreatFabric/status/1394958795508523008', 'https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered', 'https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe', 'https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html', 'https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf', 'https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368', 'https://labs.k7computing.com/?p=22407', 'https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/', 'https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html', 'https://www.cleafy.com/documents/teabot', 'https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf', 'https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/'], 'synonyms': ['ReBot', 'TeaBot', 'Toddler']}\n", "AndroRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat', 'https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat', 'https://github.com/DesignativeDave/androrat', 'https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset', 'https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf', 'https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html', 'https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html', 'https://www.kaspersky.com/blog/mobile-malware-part-4/24290/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/', 'https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat', 'https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg']}\n", "Anubis (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis', 'http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html', 'https://www.youtube.com/watch?v=U0UsfO-0uJM', 'https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html', 'https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/', 'https://muha2xmad.github.io/malware-analysis/anubis/', 'https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/', 'http://blog.koodous.com/2017/05/bankbot-on-google-play.html', 'https://securelist.com/mobile-malware-evolution-2019/96280/', 'https://pentest.blog/n-ways-to-unpack-mobile-malware/', 'https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html', 'https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html', 'https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/', 'https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis', 'https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/', 'https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/', 'http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html', 'https://0x1c3n.tech/anubis-android-malware-analysis', 'https://www.threatfabric.com/blogs/2020_year_of_the_rat.html', 'https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/', 'https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/', 'https://community.riskiq.com/article/85b3db8c', 'https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html', 'https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ', 'https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus', 'https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb'], 'synonyms': ['BankBot', 'android.bankbot', 'android.bankspy']}\n", "AnubisSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/', 'https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf']}\n", "Asacub {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub', 'https://securelist.com/mobile-malware-evolution-2019/96280/', 'https://securelist.com/the-rise-of-mobile-banker-asacub/87591/']}\n", "Ashas {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ashas', 'https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/']}\n", "ATANK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.atank', 'https://twitter.com/LukasStefanko/status/1268070798293708800']}\n", "BADCALL (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall', 'https://www.us-cert.gov/ncas/analysis-reports/ar19-252a']}\n", "BadPatch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch', 'https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/'], 'synonyms': ['WelcomeChat']}\n", "Bahamut (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut', 'https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw', 'https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/', 'https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/', 'https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/', 'https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf', 'https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/']}\n", "Basbanke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke', 'https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/', 'https://twitter.com/LukasStefanko/status/1280243673100402690', 'https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE']}\n", "BianLian {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian', 'https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56', 'https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html', 'https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html', 'https://cryptax.medium.com/android-bianlian-payload-61febabed00a', 'https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5', 'https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726', 'https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221'], 'synonyms': ['Hydra']}\n", "BRATA {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata', 'https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html', 'https://securelist.com/spying-android-rat-from-brazil-brata/92775/', 'https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam', 'https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again', 'https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account', 'https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat'], 'synonyms': ['AmexTroll']}\n", "Brunhilda {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.brunhilda', 'https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf']}\n", "BusyGasper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper', 'https://securelist.com/busygasper-the-unfriendly-spy/87627/']}\n", "CapraRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat', 'https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html']}\n", "CarbonSteal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal', 'https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf']}\n", "Catelites {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites', 'https://www.youtube.com/watch?v=1LOy0ZyjEOk', 'https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang']}\n", "Cerberus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus', 'https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/', 'https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/', 'https://nur.pub/cerberus-analysis', 'https://securelist.com/the-state-of-stalkerware-in-2021/106193/', 'https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html', 'https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf', 'https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html', 'https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html', 'https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://twitter.com/AndroidCerberus', 'https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus', 'https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/', 'https://github.com/ics-iot-bootcamp/cerberus_research', 'https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html', 'https://www.threatfabric.com/blogs/2020_year_of_the_rat.html', 'https://community.riskiq.com/article/85b3db8c']}\n", "Chamois {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois', 'https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/', 'https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf', 'https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html']}\n", "Charger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger', 'http://blog.checkpoint.com/2017/01/24/charger-malware/', 'https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf', 'http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html']}\n", "Chinotto (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.chinotto', 'https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/', 'https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/']}\n", "Chrysaor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor', 'https://twitter.com/billmarczak/status/1416801439402262529', 'https://twitter.com/HackSysTeam/status/1418223814387765258?s=20', 'https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/', 'https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/', 'https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf', 'https://thewire.in/media/pegasus-project-spyware-indian-journalists', 'https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/', 'https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/', 'https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/', 'https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat', 'https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure', 'https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/', 'https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/', 'https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages', 'https://irpimedia.irpi.eu/sorveglianze-cy4gate/', 'https://zetter.substack.com/p/pegasus-spyware-how-it-works-and', 'https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html', 'https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying', 'https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/', 'https://thewire.in/tag/pegasus-project', 'https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/', 'https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html', 'https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus', 'https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/', 'https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/', 'https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/', 'https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/', 'https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/', 'https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/', 'https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/', 'https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/', 'https://www.theguardian.com/news/series/pegasus-project', 'https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/', 'https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/', 'https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/', 'https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/', 'https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html', 'https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus', 'https://twitter.com/alexanderjaeger/status/1417447732030189569', 'https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html', 'https://citizenlab.ca/2021/07/amnesty-peer-review/', 'https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/', 'https://nex.sx/blog/2021/08/03/the-pegasus-project.html', 'https://objective-see.com/blog/blog_0x67.html', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/', 'https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/', 'https://media.ccc.de/v/33c3-7901-pegasus_internals', 'https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html', 'https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/', 'https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/', 'https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/', 'https://forbiddenstories.org/about-the-pegasus-project/', 'https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso', 'https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/', 'https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/', 'https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto', 'https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests', 'https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html', 'https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5', 'https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1'], 'synonyms': ['JigglyPuff', 'Pegasus']}\n", "Clientor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor', 'https://twitter.com/LukasStefanko/status/1042297855602503681']}\n", "Clipper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper', 'https://news.drweb.com/show?lng=en&i=12739', 'https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/', 'https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html']}\n", "CloudAtlas {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.cloudatlas', 'https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware']}\n", "CometBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot', 'https://twitter.com/LukasStefanko/status/1102937833071935491']}\n", "Connic {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic', 'https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/'], 'synonyms': ['SpyBanker']}\n", "Coper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper', 'https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/', 'https://blog.cyble.com/2022/03/24/coper-banking-trojan/', 'https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html', 'https://twitter.com/_icebre4ker_/status/1541875982684094465', 'https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/', 'https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0', 'https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html', 'https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html', 'https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/'], 'synonyms': ['ExobotCompact', 'Octo']}\n", "Coronavirus Android Worm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm', 'https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan', 'https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html']}\n", "Cpuminer (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer', 'https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/']}\n", "CryCryptor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor', 'https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/'], 'synonyms': ['CryCrypter', 'CryDroid']}\n", "CyberAzov {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.cyber_azov', 'https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/', 'https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag', 'https://twitter.com/sekoia_io/status/1554086468104196096']}\n", "Dark Shades {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades', 'https://twitter.com/LukasStefanko/status/1252163657036976129'], 'synonyms': ['Rogue']}\n", "DawDropper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.dawdropper', 'https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html']}\n", "DEFENSOR ID {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/'], 'synonyms': ['Defensor Digital']}\n", "Dendroid {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.dendroid', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments']}\n", "dmsSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/', 'https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf', 'https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/']}\n", "DoubleAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent', 'https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf']}\n", "DoubleLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker', 'https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/']}\n", "Dracarys {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.dracarys', 'https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/']}\n", "DroidJack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack', 'https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic']}\n", "DroidWatcher {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidwatcher', 'https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf']}\n", "DualToy (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy', 'http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/']}\n", "Dvmap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap', 'https://securelist.com/mobile-malware-evolution-2019/96280/', 'https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/']}\n", "Elibomi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.elibomi', 'https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-android-malware-targets-taxpayers-in-india/'], 'synonyms': ['Drinik']}\n", "ERMAC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac', 'https://twitter.com/ESETresearch/status/1445618031464357888', 'https://blog.cyble.com/2022/05/25/ermac-back-in-action/', 'https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html', 'https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover']}\n", "Eventbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot', 'https://www.youtube.com/watch?v=qqwOrLR2rgU', 'https://twitter.com/ThreatFabric/status/1240664876558823424', 'https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born']}\n", "ExoBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot', 'https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/', 'https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/', 'https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/', 'https://blog.cyble.com/2022/03/24/coper-banking-trojan/', 'https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html', 'https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/', 'https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/']}\n", "Exodus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus', 'https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv', 'https://securitywithoutborders.org/blog/2019/03/29/exodus.html', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store']}\n", "FaceStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.facestealer', 'https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html', 'https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/', 'https://threatpost.com/facestealer-trojan-google-play-facebook/179015/']}\n", "FakeAdBlocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakeadblocker', 'https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/']}\n", "FakeSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy', 'https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html', 'https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html', 'https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681', 'https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/']}\n", "FakeGram {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram', 'https://blog.talosintelligence.com/2018/11/persian-stalker.html'], 'synonyms': ['FakeTGram']}\n", "FileCoder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder', 'https://www.welivesecurity.com/2019/07/29/android-ransomware-back/']}\n", "FinFisher (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher', 'https://github.com/linuzifer/FinSpy-Dokumentation', 'https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/', 'https://securelist.com/finspy-unseen-findings/104322/', 'https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/', 'https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf', 'https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/']}\n", "FlexiSpy (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy', 'https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/', 'https://mobisec.reyammer.io/slides']}\n", "FlexNet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet', 'https://securelist.com/mobile-malware-evolution-2019/96280/', 'https://twitter.com/LukasStefanko/status/886849558143279104'], 'synonyms': ['gugi']}\n", "FluBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot', 'https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027', 'https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered', 'https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/', 'https://twitter.com/alberto__segura/status/1399249798063087621?s=20', 'https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond', 'https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/', 'https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html', 'https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html', 'https://www.infinitumit.com.tr/flubot-zararlisi/', 'https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html', 'https://twitter.com/alberto__segura/status/1395675479194095618', 'https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html', 'https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/', 'https://mobile.twitter.com/alberto__segura/status/1400396365759500289', 'https://securityintelligence.com/posts/story-of-fakechat-malware/', 'https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users', 'https://blog.zimperium.com/flubot-vs-zimperium/', 'https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/', 'https://twitter.com/alberto__segura/status/1404098461440659459', 'https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon', 'https://www.prodaft.com/m/reports/FluBot_4.pdf', 'https://hispasec.com/resources/FedexBanker.pdf', 'https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf', 'https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/', 'https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9', 'https://twitter.com/malwrhunterteam/status/1359939300238983172', 'https://twitter.com/alberto__segura/status/1402615237296148483', 'https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones', 'https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/', 'https://therecord.media/flubot-malware-gang-arrested-in-barcelona/', 'https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06', 'https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/', 'https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/', 'https://twitter.com/alberto__segura/status/1384840011892285440', 'https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain', 'https://www.ncsc.admin.ch/22w12-de', 'https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368'], 'synonyms': ['Cabassous', 'FakeChat']}\n", "FlyTrap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.flytrap', 'https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/']}\n", "FunkyBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot', 'https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681', 'https://securelist.com/roaming-mantis-part-v/96250/', 'https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html']}\n", "FurBall {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball', 'https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/', 'https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program', 'https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/', 'https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf', 'https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/', 'https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html']}\n", "Geost {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost', 'https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/', 'https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/']}\n", "Ghimob {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghimob', 'https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/']}\n", "GhostCtrl {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl', 'https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/']}\n", "Ginp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp', 'https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/', 'https://www.youtube.com/watch?v=WeL_xSryj8E', 'https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html', 'https://twitter.com/ESETresearch/status/1269945115738542080', 'https://www.threatfabric.com/blogs/2020_year_of_the_rat.html', 'https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/']}\n", "GlanceLove {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove', 'https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/', 'https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773', 'https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/', 'https://www.clearskysec.com/glancelove/']}\n", "GnatSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.gnatspy', 'https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html']}\n", "GoldenEagle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle', 'https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf']}\n", "GoldenRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat', 'https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/']}\n", "goontact {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact', 'https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail', 'https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/']}\n", "GPlayed {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed', 'https://blog.talosintelligence.com/2018/10/gplayedtrojan.html', 'https://blog.talosintelligence.com/2018/10/gplayerbanker.html']}\n", "GriftHorse {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.grifthorse', 'https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/']}\n", "Guerrilla {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.guerrilla', 'https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html']}\n", "Gustuff {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff', 'https://blog.talosintelligence.com/2019/10/gustuffv2.html', 'https://www.group-ib.com/media/gustuff/', 'https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf', 'https://www.threatfabric.com/blogs/2020_year_of_the_rat.html', 'https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html', 'https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html']}\n", "HARDRAIN (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.hardrain', 'https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990', 'https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/', 'https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf']}\n", "HawkShaw {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw', 'https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw', 'https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/']}\n", "HenBox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox', 'https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/', 'https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/', 'https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/']}\n", "Hermit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.hermit', 'https://www.lighthousereports.nl/investigation/revealing-europes-nso', 'https://de.lookout.com/blog/hermit-spyware-discovery', 'https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/']}\n", "HeroRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat', 'https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/']}\n", "HiddenAd {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/', 'https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users', 'https://twitter.com/LukasStefanko/status/1136568939239137280', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://securelist.com/mobile-malware-evolution-2019/96280/']}\n", "HilalRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.hilalrat', 'https://thehackernews.com/2022/04/microsoft-obtains-court-order-to-take.html']}\n", "Hydra {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra', 'https://muha2xmad.github.io/malware-analysis/hydra/', 'https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html', 'https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/', 'https://cryptax.medium.com/android-bianlian-payload-61febabed00a', 'https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5', 'https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726', 'https://www.threatfabric.com/blogs/2020_year_of_the_rat.html', 'https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221', 'https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0', 'https://twitter.com/muha2xmad/status/1570788983474638849', 'https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/']}\n", "IPStorm (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ipstorm', 'https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf', 'https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/'], 'synonyms': ['InterPlanetary Storm']}\n", "IRATA {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.irata', 'https://twitter.com/muha2xmad/status/1562831996078157826', 'https://muha2xmad.github.io/malware-analysis/irata/', 'https://onecert.ir/portal/blog/irata']}\n", "IRRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat', 'https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/']}\n", "JadeRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat', 'https://blog.lookout.com/mobile-threat-jaderat']}\n", "Joker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker', 'https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/', 'https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2', 'https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1', 'https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/', 'https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/', 'https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html', 'https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html', 'https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/', 'https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus', 'https://labs.k7computing.com/?p=22199', 'https://muha2xmad.github.io/malware-analysis/hydra/', 'https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451'], 'synonyms': ['Bread']}\n", "KevDroid {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/', 'https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html']}\n", "Koler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler', 'https://twitter.com/LukasStefanko/status/928262059875213312']}\n", "KSREMOTE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ksremote', 'https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/']}\n", "LittleLooter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter', 'https://twitter.com/malwrhunterteam/status/1337684036374945792', 'https://www.youtube.com/watch?v=nilzxS9rxEM', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf', 'https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/']}\n", "Loki {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki', 'http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/']}\n", "LokiBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot', 'https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html', 'https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view', 'https://muha2xmad.github.io/mal-document/lokibotpdf/', 'https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728', 'https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/', 'https://isc.sans.edu/diary/27282', 'https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf']}\n", "LuckyCat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat', 'https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html']}\n", "Mandrake {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.mandrake', 'https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf']}\n", "Marcher {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher', 'https://securelist.com/mobile-malware-evolution-2019/96280/', 'https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html', 'https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware'], 'synonyms': ['ExoBot']}\n", "MasterFred {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred', 'https://twitter.com/AvastThreatLabs/status/1458162276708483073'], 'synonyms': ['Brox']}\n", "MazarBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot', 'https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/', 'https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html']}\n", "Medusa (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa', 'https://twitter.com/ThreatFabric/status/1285144962695340032', 'https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html', 'https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html'], 'synonyms': ['Gorgona']}\n", "Meterpreter (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter', 'https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12', 'https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html', 'https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe']}\n", "Monokle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle', 'https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf']}\n", "MoqHao {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao', 'https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/', 'https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html', 'https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf', 'https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/', 'https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1', 'https://securelist.com/roaming-mantis-part-v/96250/', 'https://www.xanhacks.xyz/p/moqhao-malware-analysis', 'https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html', 'https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/', 'https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf', 'https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/', 'https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/'], 'synonyms': ['Shaoye', 'XLoader']}\n", "Mudwater {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater', 'https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf']}\n", "MysteryBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot', 'https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html']}\n", "OmniRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat', 'https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co', 'https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/', 'https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT']}\n", "Oscorp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.oscorp', 'https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/', 'https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution'], 'synonyms': ['UBEL']}\n", "PackChat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat', 'https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/']}\n", "PhantomLance {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance', 'https://securelist.com/apt-phantomlance/96772/', 'https://securelist.com/it-threat-evolution-q2-2020/98230', 'https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf', 'https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html'], 'synonyms': ['PWNDROID1']}\n", "PhoneSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.phonespy', 'https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/']}\n", "PixStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixstealer', 'https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/', 'https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/'], 'synonyms': ['BrazKing']}\n", "PjobRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat', 'https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ', 'https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/', 'https://labs.k7computing.com/?p=22537']}\n", "Podec {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec', 'https://securelist.com/jack-of-all-trades/83470/']}\n", "X-Agent (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30', 'http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/', 'http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/'], 'synonyms': ['Popr-d30']}\n", "Fake Pornhub {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub']}\n", "Premier RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat', 'https://twitter.com/LukasStefanko/status/1084774825619537925']}\n", "Rafel RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.rafelrat', 'https://github.com/swagkarna/Rafel-Rat']}\n", "Rana {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.rana', 'https://blog.reversinglabs.com/blog/rana-android-malware']}\n", "Raxir {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir', 'https://twitter.com/PhysicalDrive0/statuses/798825019316916224']}\n", "RedAlert2 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores', 'https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html']}\n", "RemRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.remrat', 'https://blogs.360.cn/post/analysis-of-RemRAT.html']}\n", "Retefe (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe', 'http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html', 'http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/', 'http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html', 'http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html', 'https://www.govcert.admin.ch/blog/33/the-retefe-saga', 'http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html']}\n", "Revive {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.revive', 'https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan']}\n", "Riltok {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.riltok', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://securelist.com/mobile-banker-riltok/91374/']}\n", "Roaming Mantis {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis', 'https://securelist.com/roaming-mantis-reaches-europe/105596/', 'https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/', 'https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf', 'https://securelist.com/roaming-mantis-part-v/96250/', 'https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/', 'https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/']}\n", "Rogue {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.rogue', 'https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/']}\n", "Rootnik {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik', 'https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java', 'https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer']}\n", "Sauron Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker', 'https://twitter.com/LukasStefanko/status/1117795290155819008']}\n", "SharkBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot', 'https://muha2xmad.github.io/malware-analysis/sharkbot/', 'https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe', 'https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/', 'https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/', 'https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/', 'https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/']}\n", "SideWinder (Android) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.sidewinder', 'https://ti.qianxin.com/blog/articles/analysis-of-malware-android-software-spread-by-sidewinder-using-google-play/']}\n", "SilkBean {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean', 'https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf']}\n", "Skygofree {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree', 'https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/']}\n", "Slempo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo', 'https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html', 'https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html'], 'synonyms': ['SlemBunk']}\n", "Slocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker', 'https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/']}\n", "SmsAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent', 'https://blog.alyac.co.kr/2128', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/']}\n", "SMSspy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy']}\n", "S.O.V.A. {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova', 'https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html', 'https://muha2xmad.github.io/malware-analysis/sova/', 'https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly', 'https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/']}\n", "SpyBanker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker', 'https://news.drweb.com/show/?i=11104&lng=en', 'http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/']}\n", "SpyC23 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.spyc23', 'https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/']}\n", "SpyMax {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax', 'https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league', 'https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset', 'https://twitter.com/malwrhunterteam/status/1250412485808717826']}\n", "SpyNote {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote', 'https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn', 'https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/', 'https://labs.k7computing.com/index.php/spynote-an-android-snooper/', 'https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/', 'https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan', 'https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/', 'https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA', 'https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/', 'https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr']}\n", "StealthAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent', 'https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF']}\n", "Stealth Mango {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango', 'https://www.lookout.com/blog/stealth-mango', 'https://www.lookout.com/info/stealth-mango-report-ty']}\n", "Svpeng {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng', 'https://securelist.com/mobile-malware-evolution-2019/96280/', 'https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/']}\n", "Switcher {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher', 'https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/']}\n", "TalentRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat', 'https://twitter.com/LukasStefanko/status/1118066622512738304', 'https://www.secureworks.com/research/threat-profiles/platinum-terminal'], 'synonyms': ['Assassin RAT']}\n", "TangleBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.tangle_bot', 'https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled']}\n", "TeleRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat', 'https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/']}\n", "TemptingCedar Spyware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar', 'https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware']}\n", "ThiefBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.thiefbot', 'https://business.xunison.com/thiefbot-a-new-android-banking-trojan-targeting-turkish-banking-users/']}\n", "TianySpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.tianyspy', 'https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html']}\n", "TinyZ {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz', 'http://blog.group-ib.com/cron'], 'synonyms': ['Catelites Android Bot', 'MarsElite Android Bot']}\n", "Titan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan', 'https://www.alienvault.com/blogs/labs-research/delivery-keyboy', 'https://blog.lookout.com/titan-mobile-threat']}\n", "Triada {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada', 'https://securelist.com/triada-trojan-in-whatsapp-mod/103679/', 'https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/', 'https://securelist.com/apkpure-android-app-store-infected/101845/', 'https://securelist.com/mobile-malware-evolution-2019/96280/', 'https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/', 'https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/', 'http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html', 'https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/', 'https://security.googleblog.com/2019/06/pha-family-highlights-triada.html', 'https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/']}\n", "Triout {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout']}\n", "UltimaSMS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ultima_sms', 'https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast']}\n", "Unidentified APK 001 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001', 'https://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/']}\n", "Unidentified APK 002 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002']}\n", "Unidentified APK 004 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_004', 'https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/']}\n", "Unidentified APK 005 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005', 'https://blog.talosintelligence.com/2020/10/donot-firestarter.html', 'https://community.riskiq.com/article/6f60db72', 'https://s.tencent.com/research/report/951.html', 'https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/', 'https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html', 'https://twitter.com/voodoodahl1/status/1267571622732578816']}\n", "Unidentified APK 006 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006', 'https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749', 'https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20', 'https://twitter.com/ReBensk/status/1438027183490940931', 'https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/']}\n", "Unidentified 007 (ARMAAN RAT) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_007', 'https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/']}\n", "Unidentified APK 008 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_008', 'https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/']}\n", "VajraSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.vajraspy', 'https://twitter.com/LukasStefanko/status/1509451238366236674', 'https://twitter.com/malwrhunterteam/status/1481312752782258176', 'https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww']}\n", "vamp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.vamp', 'https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/'], 'synonyms': ['android.micropsia']}\n", "Viper RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat', 'https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/', 'https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/', 'https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf']}\n", "Vultur {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.vultur', 'https://www.threatfabric.com/blogs/vultur-v-for-vnc.html', 'https://twitter.com/_icebre4ker_/status/1485651238175846400'], 'synonyms': ['Vulture']}\n", "WireX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex', 'https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/', 'https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/', 'https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/', 'https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack']}\n", "WolfRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.wolf_rat', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html']}\n", "Wroba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba', 'https://securelist.com/roaming-mantis-reaches-europe/105596/', 'https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan']}\n", "Xbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot', 'https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/', 'https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/']}\n", "Xenomorph {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph', 'https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html', 'https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5']}\n", "xHelper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.xhelper', 'https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/']}\n", "XploitSPY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy', 'https://twitter.com/malwrhunterteam/status/1249768400806653952']}\n", "XRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat', 'https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf', 'https://blog.lookout.com/xrat-mobile-threat']}\n", "YellYouth {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth', 'https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html']}\n", "Zen {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen', 'https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html']}\n", "ZooPark {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark', 'https://securelist.com/whos-who-in-the-zoo/85394', 'https://www.secureworks.com/research/threat-profiles/cobalt-juno', 'https://securelist.com/whos-who-in-the-zoo/85394/', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf']}\n", "Ztorg {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg', 'https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1', 'http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2', 'https://securelist.com/ztorg-from-rooting-to-sms/78775/'], 'synonyms': ['Qysly']}\n", "TwoFace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface', 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf', 'https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/', 'https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf', 'https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/', 'https://unit42.paloaltonetworks.com/atoms/evasive-serpens/', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf', 'https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI', 'https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/', 'https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae', 'https://www.youtube.com/watch?v=GjquFKa4afU', 'https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/'], 'synonyms': ['HighShell', 'HyperShell', 'Minion', 'SEASHARPEE']}\n", "Unidentified ASP 001 (Webshell) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001']}\n", "Abcbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.abcbot', 'https://www.cadosecurity.com/the-continued-evolution-of-abcbot/', 'https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/', 'https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/', 'https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/']}\n", "ACBackdoor (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor', 'https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf']}\n", "AcidRain {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidrain', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works', 'https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html', 'https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html', 'https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/', 'https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/', 'https://cybersecuritynews.com/acidrain-wiper-malware/', 'https://www.techtimes.com/articles/273755/20220331/viasat-hit-russia-s-wiper-malware-called-acidrain-affecting-european.htm', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat']}\n", "AgeLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker', 'https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/', 'https://twitter.com/IntezerLabs/status/1326880812344676352', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/']}\n", "AirDropBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop', 'https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html'], 'synonyms': ['CloudBot']}\n", "Aisuru {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru', 'https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/']}\n", "AnchorDNS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30', 'https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/', 'https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf', 'https://www.netscout.com/blog/asert/dropping-anchor', 'https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate', 'https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns']}\n", "ANGRYREBEL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel', 'https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-olive'], 'synonyms': ['Ghost RAT']}\n", "Avoslocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker', 'https://blog.lexfo.fr/Avoslocker.html', 'https://www.ic3.gov/Media/News/2022/220318.pdf', 'https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html', 'https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen', 'https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux']}\n", "azazel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.azazel', 'https://github.com/chokepoint/azazel']}\n", "B1txor20 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.b1txor20', 'https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/']}\n", "Babuk (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/', 'https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/', 'https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2', 'https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf', 'https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings', 'https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/']}\n", "Backdoorit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoorit', 'https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/'], 'synonyms': ['backd00rit']}\n", "Irc16 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16', 'https://news.drweb.com/show/?c=5&i=10193&lng=en']}\n", "Bashlite {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora', 'https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/', 'https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt', 'https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218', 'https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/', 'https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/', 'https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/', 'https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/', 'https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/', 'https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group', 'https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/', 'https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/', 'https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/', 'http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/'], 'synonyms': ['Gafgyt', 'gayfgt', 'lizkebab', 'qbot', 'torlus']}\n", "BCMPUPnP_Hunter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter', 'https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/']}\n", "Bifrost {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost', 'https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/'], 'synonyms': ['elf.bifrose']}\n", "BigViktor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor', 'https://blog.netlab.360.com/bigviktor-dga-botnet/']}\n", "BioSet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.bioset', 'https://twitter.com/IntezerLabs/status/1409844721992749059']}\n", "BlackCat (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat', 'https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/', 'https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/', 'https://securelist.com/new-ransomware-trends-in-2022/106457/', 'https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/', 'https://blog.group-ib.com/blackcat', 'https://killingthebear.jorgetesta.tech/actors/alphv', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html', 'https://www.forescout.com/resources/analysis-of-an-alphv-incident', 'https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html', 'https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive', 'https://securelist.com/a-bad-luck-blackcat/106254/', 'https://twitter.com/sisoma2/status/1473243875158499330', 'https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments', 'https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/', 'https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/', 'https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/'], 'synonyms': ['ALPHV', 'Noberus']}\n", "BlackMatter (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://blog.group-ib.com/blackmatter#', 'https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf', 'https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2', 'https://twitter.com/VK_Intel/status/1423188690126266370', 'https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html', 'https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/', 'https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service', 'https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor', 'https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/', 'https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/', 'https://www.youtube.com/watch?v=NIiEcOryLpI', 'https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://twitter.com/GelosSnake/status/1451465959894667275', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.mandiant.com/resources/chasing-avaddon-ransomware', 'https://us-cert.cisa.gov/ncas/alerts/aa21-291a', 'https://blog.group-ib.com/blackmatter2']}\n", "Blackrota {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackrota', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/', 'https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/']}\n", "Break out the Box {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.botb', 'https://github.com/brompwnie/botb'], 'synonyms': ['BOtB']}\n", "BotenaGo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.botenago', 'https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github', 'https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/', 'https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/', 'https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits']}\n", "BPFDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor', 'https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#', 'https://troopers.de/troopers22/talks/7cv8pz/', 'https://exatrack.com/public/Tricephalic_Hellkeeper.pdf', 'https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/', 'https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/', 'https://twitter.com/CraigHRowland/status/1523266585133457408', 'https://twitter.com/cyb3rops/status/1523227511551033349', 'https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896'], 'synonyms': ['JustForFun']}\n", "Bvp47 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.bvp47', 'https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html', 'https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf', 'https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/', 'https://exatrack.com/public/Tricephalic_Hellkeeper.pdf', 'https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf', 'https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/']}\n", "Caligula {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.caligula', 'https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/']}\n", "Capoae {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.capoae', 'https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread']}\n", "CDorked {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked', 'https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/', 'https://www.symantec.com/security-center/writeup/2013-050214-5501-99', 'https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/', 'https://blogs.cisco.com/security/linuxcdorked-faqs', 'https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html'], 'synonyms': ['CDorked.A']}\n", "CDRThief {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief', 'https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/']}\n", "Cephei {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cephei', 'https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader']}\n", "Cetus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cetus', 'https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/']}\n", "Chapro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro', 'http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html', 'http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a']}\n", "Chisel (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel', 'https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/']}\n", "Cloud Snooper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought', 'https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf'], 'synonyms': ['Snoopy']}\n", "Conti (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti', 'https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://securelist.com/new-ransomware-trends-in-2022/106457/', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures', 'https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike', 'https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html', 'https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again', 'https://www.youtube.com/watch?v=cYx7sQRbjGA'], 'synonyms': ['Conti Locker']}\n", "Corona DDOS Bot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.corona', 'https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/']}\n", "Cpuminer (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer', 'https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/', 'https://github.com/pooler/cpuminer']}\n", "Cr1ptT0r {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r', 'https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html', 'https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html', 'https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/'], 'synonyms': ['CriptTor']}\n", "CronRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cronrat', 'https://sansec.io/research/cronrat']}\n", "CyclopsBlink {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink', 'https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html', 'https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/', 'https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-054a', 'https://www.theregister.com/2022/03/18/cyclops_asus_routers/', 'https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf', 'https://www.justice.gov/opa/press-release/file/1491281/download', 'https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute', 'https://attack.mitre.org/groups/G0034', 'https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/', 'https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/', 'https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/']}\n", "Dacls (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/', 'https://blog.netlab.360.com/dacls-the-dual-platform-rat/', 'https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/', 'https://www.sygnia.co/mata-framework', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought']}\n", "Dark {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark', 'https://twitter.com/ESETresearch/status/1440052837820428298?s=20', 'https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/', 'https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities', 'https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx', 'https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx'], 'synonyms': ['Dark.IoT']}\n", "Dark Nexus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus', 'https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly', 'https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html']}\n", "DarkSide (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/', 'https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/', 'https://blog.group-ib.com/blackmatter#', 'https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636', 'https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/', 'https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html', 'https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted', 'https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/', 'https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access', 'https://therecord.media/popular-hacking-forum-bans-ransomware-ads/', 'https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212', 'https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/', 'https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b', 'https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside', 'https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/', 'https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.ic3.gov/Media/News/2021/211101.pdf', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service', 'https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group', 'https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/', 'https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin', 'https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/', 'https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/', 'https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime', 'https://twitter.com/JAMESWT_MHT/status/1388301138437578757', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/', 'https://www.youtube.com/watch?v=NIiEcOryLpI', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://twitter.com/GelosSnake/status/1451465959894667275', 'https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/', 'https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://pylos.co/2021/05/13/mind-the-air-gap/', 'https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version', 'https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/', 'https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/', 'https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/', 'https://blog.group-ib.com/blackmatter2', 'https://www.youtube.com/watch?v=qxPXxWMI2i4']}\n", "DarkRadiation {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark_radiation', 'https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/']}\n", "DDG {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg', 'https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/', 'https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/', 'https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/', 'https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/', 'https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/']}\n", "ddoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddoor', 'https://github.com/rek7/ddoor']}\n", "DEADBOLT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt', 'https://community.riskiq.com/article/1601124b', 'https://securelist.com/new-ransomware-trends-in-2022/106457/', 'https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/', 'https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html']}\n", "Denonia {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.denonia', 'https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html', 'https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/']}\n", "Derusbi (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi', 'https://twitter.com/IntezerLabs/status/1407676522534735873?s=20', 'https://attack.mitre.org/groups/G0096', 'https://attack.mitre.org/groups/G0001/']}\n", "Dofloo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo', 'https://blog.syscall.party/post/aes-ddos-analysis-part-1/', 'https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/', 'https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf'], 'synonyms': ['AESDDoS']}\n", "Doki {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.securecoding.com/blog/all-about-doki-malware/', 'https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/']}\n", "DoubleFantasy (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.doublefantasy', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf']}\n", "Ebury {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury', 'https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/', 'https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf', 'https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/', 'https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download', 'https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/', 'https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy', 'https://security.web.cern.ch/security/advisories/windigo/windigo.shtml', 'https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/']}\n", "Echobot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot', 'https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/', 'https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html', 'https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/', 'https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada']}\n", "EnemyBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot', 'https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory', 'https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet', 'https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers']}\n", "Erebus (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/']}\n", "EvilGnome {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome', 'https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought', 'https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf']}\n", "EwDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ewdoor', 'https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/']}\n", "Exaramel (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf', 'https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm', 'https://www.wired.com/story/sandworm-centreon-russia-hack/', 'https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/', 'https://attack.mitre.org/groups/G0034', 'https://twitter.com/craiu/status/1361581668092493824', 'https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf']}\n", "ext4 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4', 'https://www.recordedfuture.com/chinese-cyberespionage-operations/', 'https://www.recordedfuture.com/chinese-cyberespionage-operations']}\n", "Facefish {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.facefish', 'https://blog.netlab.360.com/ssh_stealer_facefish_en/']}\n", "FBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot', 'https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/', 'https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/', 'https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html', 'https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html']}\n", "FinFisher (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher', 'https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/', 'https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/', 'https://securelist.com/finspy-unseen-findings/104322/']}\n", "floodor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor', 'https://github.com/Thibault-69/Floodor']}\n", "FontOnLake {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.fontonlake', 'https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/']}\n", "FritzFrog {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break', 'https://www.akamai.com/blog/security/fritzfrog-p2p', 'https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/']}\n", "Gitpaste-12 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12', 'https://blogs.juniper.net/en-us/threat-research/gitpaste-12']}\n", "Glupteba Proxy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.glupteba_proxy', 'https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/', 'https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html']}\n", "Godlua {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua', 'https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/']}\n", "GOSH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.gosh', 'https://twitter.com/IntezerLabs/status/1291355808811409408']}\n", "GreedyAntd {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd', 'https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/']}\n", "HabitsRAT (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.habitsrat', 'https://twitter.com/michalmalik/status/1435918937162715139']}\n", "Haiduc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc', 'https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf']}\n", "Hajime {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime', 'https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf', 'https://par.nsf.gov/servlets/purl/10096257', 'https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461', 'https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things', 'https://blog.netlab.360.com/quick-summary-port-8291-scan-en/', 'https://github.com/Psychotropos/hajime_hashes', 'http://blog.netlab.360.com/hajime-status-report-en/', 'https://x86.re/blog/hajime-a-follow-up/']}\n", "Hakai {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai', 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/']}\n", "HandyMannyPot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot', 'https://twitter.com/liuya0904/status/1171633662502350848']}\n", "Hand of Thief {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief', 'https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/', 'https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/'], 'synonyms': ['Hanthie']}\n", "HelloKitty (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty', 'https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire', 'https://unit42.paloaltonetworks.com/emerging-ransomware-groups/', 'https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group', 'https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225', 'https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/', 'https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/']}\n", "HiddenWasp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp', 'https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought', 'https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/']}\n", "Hide and Seek {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek', 'https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/', 'https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/', 'https://blog.avast.com/hide-n-seek-botnet-continues', 'https://threatlabs.avast.com/botnet', 'https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/', 'https://blog.netlab.360.com/hns-botnet-recent-activities-en/', 'https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html', 'https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/', 'https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/'], 'synonyms': ['HNS']}\n", "Hipid {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hipid', 'https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html']}\n", "Hive (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hive', 'https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/', 'https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/', 'https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/', 'https://arxiv.org/pdf/2202.08477.pdf', 'https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/', 'https://github.com/rivitna/Malware/tree/main/Hive', 'https://twitter.com/ESETresearch/status/1454100591261667329', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://blog.group-ib.com/hive', 'https://twitter.com/malwrhunterteam/status/1455628865229950979', 'https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/', 'https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html', 'https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive', 'https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html', 'https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again']}\n", "Hubnr {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.hubnr', 'https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet']}\n", "Icnanker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker', 'https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/']}\n", "IoT Reaper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper', 'https://research.checkpoint.com/new-iot-botnet-storm-coming/', 'http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/', 'https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm'], 'synonyms': ['IoTroop', 'Reaper', 'iotreaper']}\n", "IPStorm (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network', 'https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf', 'https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/'], 'synonyms': ['InterPlanetary Storm']}\n", "JenX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx', 'https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/']}\n", "Kaiji {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji', 'https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/', 'https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775', 'https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/']}\n", "Kaiten {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten', 'https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/', 'https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day', 'https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html', 'https://www.lacework.com/the-kek-security-network/'], 'synonyms': ['STD']}\n", "kerberods {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods', 'https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html', 'https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang', 'https://blog.talosintelligence.com/2019/09/watchbog-patching.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/', 'https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916']}\n", "KEYPLUG {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug', 'https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf', 'https://twitter.com/CyberJack42/status/1501290277864046595', 'https://experience.mandiant.com/trending-evil/p/1', 'https://www.mandiant.com/resources/mobileiron-log4shell-exploitation', 'https://www.mandiant.com/resources/apt41-us-state-governments'], 'synonyms': ['ELFSHELF']}\n", "kfos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.kfos', 'https://twitter.com/r3dbU7z/status/1378564694462586880']}\n", "Kinsing {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability', 'https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/', 'https://twitter.com/IntezerLabs/status/1259818964848386048', 'https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts', 'https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/', 'https://unit42.paloaltonetworks.com/cve-2020-25213/', 'https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/', 'https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html', 'https://unit42.paloaltonetworks.com/atoms/moneylibra/', 'https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html', 'https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/', 'https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743', 'https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775', 'https://redcanary.com/blog/kinsing-malware-citrix-saltstack/', 'https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces', 'https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html'], 'synonyms': ['h2miner']}\n", "KIVARS (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.kivars', 'https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html']}\n", "Kobalos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos', 'https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf', 'https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/', 'https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf', 'https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/']}\n", "Lady {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady', 'https://news.drweb.com/news/?i=10140&lng=en']}\n", "LeetHozer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer', 'https://blog.netlab.360.com/the-leethozer-botnet-en/']}\n", "Lightning Framework {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.lightning', 'https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/']}\n", "LiLock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilock', 'https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/', 'https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html', 'https://fossbytes.com/lilocked-ransomware-infected-linux-servers/'], 'synonyms': ['Lilocked', 'Lilu']}\n", "lilyofthevalley {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley', 'https://github.com/En14c/LilyOfTheValley']}\n", "LiquorBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot', 'https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/', 'https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/']}\n", "LockBit (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.lockbit', 'https://www.ic3.gov/Media/News/2022/220204.pdf', 'https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf', 'https://blog.compass-security.com/2022/03/vpn-appliance-forensics/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/', 'https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants', 'https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/']}\n", "Loerbas {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas', 'https://atdotde.blogspot.com/2020/05/high-performance-hackers.html', 'https://www.cadosecurity.com/2020/05/16/1318/', 'https://twitter.com/nunohaien/status/1261281419483140096']}\n", "Log Collector {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector', 'https://blog.netlab.360.com/dacls-the-dual-platform-rat/']}\n", "Lootwodniw {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw', 'https://twitter.com/ddash_ct/status/1326887125103616000']}\n", "Manjusaka (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.manjusaka', 'https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html', 'https://github.com/avast/ioc/tree/master/Manjusaka']}\n", "Masuta {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta', 'https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7', 'https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/', 'https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes'], 'synonyms': ['PureMasuta']}\n", "Matryosh {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh', 'https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/']}\n", "MESSAGETAP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://attack.mitre.org/groups/G0096', 'https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought']}\n", "Midrashim {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim', 'https://www.guitmz.com/linux-midrashim-elf-virus/', 'https://github.com/guitmz/midrashim']}\n", "MiKey {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md', 'https://securitykitten.github.io/2016/12/14/mikey.html']}\n", "Mirai (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093', 'https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html', 'https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/', 'https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/', 'https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/', 'https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/', 'https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign', 'https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot', 'https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039', 'https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine', 'https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html', 'https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/', 'https://synthesis.to/2021/06/30/automating_string_decryption.html', 'https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/', 'https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/', 'https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/', 'https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts', 'https://github.com/jgamblin/Mirai-Source-Code', 'https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/', 'https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/', 'https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/', 'https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html', 'https://www.youtube.com/watch?v=KVJyYTie-Dc', 'https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/', 'https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/', 'https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group', 'https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/', 'https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/', 'https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space', 'https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18', 'https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/', 'http://osint.bambenekconsulting.com/feeds/', 'https://community.riskiq.com/article/d8a78daf', 'https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/', 'https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/', 'https://isc.sans.edu/diary/22786', 'https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html', 'https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai', 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/', 'https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html', 'https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt', 'https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/', 'https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/', 'https://cert.gov.ua/article/37139', 'https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants', 'https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet', 'https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/', 'https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/', 'https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/', 'http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/', 'https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf', 'https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet', 'https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/'], 'synonyms': ['Katana']}\n", "Mokes (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes', 'https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/']}\n", "Momentum {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.momentum', 'https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html']}\n", "MooBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot', 'https://unit42.paloaltonetworks.com/moobot-d-link-devices/', 'https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability', 'https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b', 'https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/', 'https://blog.netlab.360.com/ddos-botnet-moobot-en/', 'https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/']}\n", "Moose {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose', 'http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/', 'http://www.welivesecurity.com/2015/05/26/moose-router-worm/', 'https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf', 'http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/']}\n", "Mozi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi', 'https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet', 'https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/', 'https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/', 'https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/', 'https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/', 'https://blog.netlab.360.com/mozi-another-botnet-using-dht/', 'https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/', 'https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/', 'https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/', 'https://www.youtube.com/watch?v=cDFO_MRlg3M', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf']}\n", "MrBlack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack', 'https://news.drweb.com/?i=5760&c=23&lng=en', 'https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf']}\n", "Mumblehard {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.mumblehard', 'https://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf']}\n", "Nextcry {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry', 'https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/']}\n", "Ngioweb (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb', 'https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/', 'https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/', 'https://twitter.com/IntezerLabs/status/1324346324683206657']}\n", "NiuB {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.niub', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/']}\n", "NOTROBIN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/', 'https://news.sophos.com/en-us/2020/05/21/asnarok2/', 'https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html', 'https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/', 'https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought', 'https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/'], 'synonyms': ['remove_bds']}\n", "OrBit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.orbit', 'https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/']}\n", "Owari {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari', 'https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863', 'https://twitter.com/360Netlab/status/1019759516789821441', 'https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html', 'https://twitter.com/ankit_anubhav/status/1019647993547550720', 'https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/', 'https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/', 'https://twitter.com/hrbrmstr/status/1019922651203227653']}\n", "p0sT5n1F3r {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r', 'https://www.vargroup.it/wp-content/uploads/2019/10/ReverseEngineering_SecurityReport_EN_2019.10.16-2.pdf']}\n", "pbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot', 'https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html']}\n", "Penquin Turla {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://securelist.com/big-threats-using-code-similarity-part-1/97239/', 'https://lab52.io/blog/looking-for-penquins-in-the-wild/', 'https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf', 'https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf', 'https://www.youtube.com/watch?v=JXsjRUxx47E', 'https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf', 'https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf', 'https://twitter.com/juanandres_gs/status/944741575837528064']}\n", "PerlBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot', 'https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html', 'https://twitter.com/Nocturnus/status/1308430959512092673', 'https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf', 'https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/', 'https://sysdig.com/blog/malware-analysis-shellbot-sysdig/', 'https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/', 'https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf', 'https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/', 'https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/'], 'synonyms': ['DDoS Perl IrcBot', 'ShellBot']}\n", "Persirai {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai', 'http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/']}\n", "Pink {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.pink', 'https://blog.netlab.360.com/pink-en/']}\n", "PLEAD (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf', 'https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/', 'https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020']}\n", "PRISM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism', 'https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar'], 'synonyms': ['waterdrop']}\n", "PrivetSanya {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.privet_sanya', 'https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/']}\n", "Prometei (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities', 'https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html', 'https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html', 'https://twitter.com/IntezerLabs/status/1338480158249013250', 'https://cujo.com/iot-malware-journals-prometei-linux/']}\n", "Pro-Ocean {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean', 'https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/', 'https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/']}\n", "pupy (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf', 'https://github.com/n1nj4sec/pupy']}\n", "QNAPCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt', 'https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/', 'https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/', 'https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/', 'https://www.ibm.com/downloads/cas/Z81AVOY7', 'https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/', 'https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf', 'https://www.qnap.com/en/security-advisory/QSA-20-02', 'https://www.anomali.com/blog/the-ech0raix-ransomware', 'https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought'], 'synonyms': ['eCh0raix']}\n", "QSnatch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch', 'https://bin.re/blog/the-dga-of-qsnatch/', 'https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf', 'https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html', 'https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf', 'https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices', 'https://us-cert.cisa.gov/ncas/alerts/aa20-209a']}\n", "QUIETEXIT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit', 'https://www.mandiant.com/resources/unc3524-eye-spy-email']}\n", "r2r2 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2', 'https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/']}\n", "RagnarLocker (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ragnarlocker', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html', 'https://twitter.com/malwrhunterteam/status/1475568201673105409']}\n", "Rakos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos', 'https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22', 'http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/']}\n", "RansomEXX (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx', 'https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf', 'https://www.youtube.com/watch?v=qxPXxWMI2i4', 'https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.ic3.gov/Media/News/2021/211101.pdf', 'https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/'], 'synonyms': ['Defray777']}\n", "RapperBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rapper_bot', 'https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery']}\n", "RaspberryPiBotnet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet', 'https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/']}\n", "rat_hodin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin', 'https://github.com/Thibault-69/RAT-Hodin-v2.5']}\n", "rbs_srv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv', 'https://github.com/Thibault-69/Remote_Shell']}\n", "RedXOR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.redxor', 'https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/']}\n", "RedAlert Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.red_alert', 'https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/', 'https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/'], 'synonyms': ['N13V']}\n", "Rekoobe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe', 'https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/', 'https://vms.drweb.com/virus/?i=7754026&lng=en', 'https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt', 'https://twitter.com/billyleonard/status/1458531997576572929', 'https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/', 'https://sansec.io/research/rekoobe-fishpig-magento', 'https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/', 'https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/']}\n", "reptile {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile', 'https://github.com/f0rb1dd3n/Reptile', 'https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf']}\n", "REvil (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil', 'https://github.com/f0wl/REconfig-linux', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo', 'https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment', 'https://www.bbc.com/news/technology-59297187', 'https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf', 'https://twitter.com/VK_Intel/status/1409601311092490248', 'https://www.youtube.com/watch?v=mDUMpYAOMOo', 'https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil', 'https://home.treasury.gov/news/press-releases/jy0471', 'https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/', 'https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf', 'https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/', 'https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021', 'https://analyst1.com/file-assets/History-of-REvil.pdf', 'https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5', 'https://angle.ankura.com/post/102hcny/revix-linux-ransomware', 'https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/', 'https://threatpost.com/ransomware-revil-sites-disappears/167745/', 'https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/', 'http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html', 'https://ke-la.com/will-the-revils-story-finally-be-over/', 'https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa', 'https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ', 'https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide', 'https://twitter.com/VK_Intel/status/1409601311092490248?s=20', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil', 'https://twitter.com/IntezerLabs/status/1452980772953071619', 'https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released', 'https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/', 'https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf', 'https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/', 'https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya', 'https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin', 'https://malienist.medium.com/revix-linux-ransomware-d736956150d0', 'https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version', 'https://www.flashpoint-intel.com/blog/revil-disappears-again/', 'https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html', 'https://www.youtube.com/watch?v=ptbNMlWxYnE', 'https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf', 'https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20', 'https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/', 'https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/'], 'synonyms': ['REvix']}\n", "Rex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex', 'https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/']}\n", "RHOMBUS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus', 'https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/']}\n", "Roboto {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.roboto', 'https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin', 'https://blog.netlab.360.com/the-awaiting-roboto-botnet-en']}\n", "RotaJakiro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro', 'https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro', 'https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/', 'https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/']}\n", "Rshell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.rshell', 'https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html']}\n", "Satori {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori', 'http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/', 'http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori', 'https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/', 'https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/', 'http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/', 'https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/', 'https://www.arbornetworks.com/blog/asert/the-arc-of-satori/']}\n", "SBIDIOT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sbidiot', 'https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/', 'https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/', 'https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/']}\n", "ShellBind {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind', 'http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry']}\n", "Shishiga {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga', 'https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/']}\n", "SideWalk (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sidewalk', 'https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/']}\n", "Silex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.silex', 'https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/'], 'synonyms': ['silexbot']}\n", "SLAPSTICK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick', 'https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html', 'https://www.mandiant.com/resources/unc2891-overview']}\n", "SoWaT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sowat', 'https://twitter.com/bkMSFT/status/1417823714922610689', 'https://twitter.com/billyleonard/status/1417910729005490177', 'https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003', 'https://imp0rtp3.wordpress.com/2021/11/25/sowat/']}\n", "Spamtorte {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte', 'https://cis.verint.com/2016/11/08/spamtorte-version-2/']}\n", "SpeakUp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup', 'https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/']}\n", "Specter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter', 'https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/', 'https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/']}\n", "Speculoos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos', 'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html', 'https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas']}\n", "SSHDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor', 'https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/', 'http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html']}\n", "Stantinko {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/', 'https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/', 'https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/', 'https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/', 'https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/']}\n", "STEELCORGI {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi', 'https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/', 'https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html', 'https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/', 'https://www.mandiant.com/resources/unc2891-overview']}\n", "Sunless {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless', 'https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/']}\n", "sustes miner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes', 'https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/']}\n", "Suterusu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.suterusu', 'https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/'], 'synonyms': ['HCRootkit']}\n", "Symbiote {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.symbiote', 'https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat', 'https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/', 'https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote', 'https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/']}\n", "SysJoker (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysjoker', 'https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/', 'https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/', 'https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html']}\n", "Sysrv-hello (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysrvhello', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/', 'https://www.lacework.com/sysrv-hello-expands-infrastructure/', 'https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet'], 'synonyms': ['Sysrv']}\n", "TeamTNT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt', 'https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://unit42.paloaltonetworks.com/atoms/thieflibra/', 'https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf', 'https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials', 'https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/', 'https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment', 'https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server', 'https://unit42.paloaltonetworks.com/atoms/adept-libra/', 'https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/', 'https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/', 'https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera', 'https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/', 'https://sysdig.com/blog/teamtnt-aws-credentials/', 'https://tolisec.com/active-crypto-mining-operation-by-teamtnt/', 'https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf', 'https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool', 'https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked', 'https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools', 'https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/']}\n", "TheMoon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.themoon', 'https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers', 'https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902']}\n", "TNTbotinger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger', 'https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html', 'https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/']}\n", "Torii {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii', 'https://blog.avast.com/new-torii-botnet-threat-research']}\n", "Trump Bot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot', 'http://paper.seebug.org/345/']}\n", "TSCookie {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://twitter.com/ESETresearch/status/1382054011264700416', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf', 'https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf', 'https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020', 'https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html', 'https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf']}\n", "tsh {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsh', 'https://github.com/creaktive/tsh']}\n", "Tsunami (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf', 'https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039', 'https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/', 'https://sysdig.com/blog/muhstik-malware-botnet-analysis/', 'https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks', 'https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/', 'https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt', 'https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server', 'https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/', 'https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/', 'https://blog.aquasec.com/fileless-malware-container-security', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/', 'https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/', 'https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134', 'https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775', 'https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/', 'https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers', 'http://get.cyberx-labs.com/radiation-report', 'https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/'], 'synonyms': ['Amnesia', 'Muhstik', 'Radiation']}\n", "Turla RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat']}\n", "Umbreon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon', 'http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html', 'http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/'], 'synonyms': ['Espeon']}\n", "Unidentified Linux 001 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001', 'https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability']}\n", "Unidentified ELF 004 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_004', 'https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/']}\n", "Unidentified 005 (Sidecopy) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_005', \"https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/\"]}\n", "Unidentified ELF 006 (Tox Backdoor) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_006', 'https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers']}\n", "Vermilion Strike (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike', 'https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html']}\n", "VPNFilter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter', 'https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html', 'https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter', 'https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/', 'https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities', 'https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/', 'https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/', 'https://blog.talosintelligence.com/2018/05/VPNFilter.html', 'https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected', 'https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-054a', 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en', 'https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html', 'https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/', 'https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf', 'https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware', 'https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf', 'https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html']}\n", "WatchBog {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog', 'https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/']}\n", "WellMail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c', 'https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://blog.talosintelligence.com/2020/08/attribution-puzzle.html', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf']}\n", "elf.wellmess {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://us-cert.cisa.gov/ncas/alerts/aa21-116a', 'https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html', 'https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html', 'https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html', 'https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://blog.talosintelligence.com/2020/08/attribution-puzzle.html', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://community.riskiq.com/article/541a465f/description', 'https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf']}\n", "Winnti (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought', 'https://attack.mitre.org/groups/G0096', 'https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a']}\n", "Wirenet (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet', 'http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html', 'https://news.drweb.com/show/?i=2679&lng=en&c=14']}\n", "X-Agent (ELF) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent', 'https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/', 'http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/', 'https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf'], 'synonyms': ['chopstick', 'fysbis', 'splm']}\n", "Xanthe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe', 'https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775', 'https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/', 'https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html']}\n", "Xaynnalc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc', 'https://twitter.com/michalmalik/status/846368624147353601']}\n", "Xbash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash', 'https://unit42.paloaltonetworks.com/atoms/agedlibra/', 'https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/']}\n", "XOR DDoS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos', 'https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/', 'https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf', 'https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf', 'https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/', 'https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/', 'https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775', 'https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf', 'https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/', 'https://en.wikipedia.org/wiki/Xor_DDoS', 'https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/', 'https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/', 'https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/', 'https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html', 'https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html', 'http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html', 'https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf', 'https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/'], 'synonyms': ['XORDDOS']}\n", "ZHtrap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.zhtrap', 'https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/']}\n", "Zollard {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard', 'https://blogs.cisco.com/security/the-internet-of-everything-including-malware'], 'synonyms': ['darlloz']}\n", "ZuoRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/elf.zuo_rat', 'https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/']}\n", "AutoCAD Downloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad', 'https://github.com/Hopfengetraenk/Fas-Disasm', 'https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft'], 'synonyms': ['Acad.Bursted', 'Duxfas']}\n", "DualToy (iOS) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy', 'http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/']}\n", "GuiInject {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject', 'https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/']}\n", "lightSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/', 'https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf', 'https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/']}\n", "Phenakite {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.phenakite', 'https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html'], 'synonyms': ['Dakkatoni']}\n", "PoisonCarp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.poisoncarp', 'https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/', 'https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/'], 'synonyms': ['INSOMNIA']}\n", "Postlo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.postlo', 'https://twitter.com/opa334dev/status/1374754519268098051']}\n", "WireLurker (iOS) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf']}\n", "X-Agent (iOS) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ios.xagent', 'https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/', 'https://www.secureworks.com/research/threat-profiles/iron-twilight']}\n", "AdWind {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://citizenlab.ca/2015/12/packrat-report/', 'https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat', 'https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885', 'http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat', 'https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html', 'https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'http://malware-traffic-analysis.net/2017/07/04/index.html', 'https://research.checkpoint.com/malware-against-the-c-monoculture/', 'https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html', 'https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/', 'https://blogs.seqrite.com/evolution-of-jrat-java-malware/'], 'synonyms': ['AlienSpy', 'Frutas', 'JBifrost', 'JSocket', 'Sockrat', 'UNRECOM']}\n", "Adzok {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.adzok', 'https://citizenlab.ca/2015/12/packrat-report/']}\n", "Banload {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf', 'https://colin.guru/index.php?title=Advanced_Banload_Analysis', 'https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload']}\n", "Blue Banana RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.bluebanana', 'https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community']}\n", "CrossRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat', 'https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf', 'https://objective-see.com/blog/blog_0x28.html'], 'synonyms': ['Trupto']}\n", "EpicSplit RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.epicsplit', 'https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat']}\n", "FEimea RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat', 'https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/']}\n", "IceRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.icerat', 'https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp']}\n", "JavaDispCash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash', 'https://twitter.com/r3c0nst/status/1111254169623674882', 'https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore']}\n", "JavaLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.javalocker', 'https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html', 'https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html'], 'synonyms': ['JavaEncrypt Ransomware']}\n", "jRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat', 'https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/', 'https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/', 'https://www.eff.org/files/2018/01/29/operation-manul.pdf', 'https://research.checkpoint.com/malware-against-the-c-monoculture/', 'https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered'], 'synonyms': ['Jacksbot']}\n", "jSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy', 'https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/']}\n", "Octopus Scanner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner', 'https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain', 'http://blog.nsfocus.net/github-ocs-0605/']}\n", "Qarallax RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat', 'http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/']}\n", "Qealler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler', 'https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf', 'https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/', 'https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/', 'https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/', 'https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/', 'https://www.herbiez.com/?p=1352', 'https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer'], 'synonyms': ['Pyrogenic Infostealer']}\n", "QRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/', 'https://www.digitrustgroup.com/java-rat-qrat/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/'], 'synonyms': ['Quaverse RAT']}\n", "Ratty {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/']}\n", "Sorillus RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus', 'https://abnormalsecurity.com/blog/tax-customers-sorillus-rat']}\n", "STRRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat', 'https://twitter.com/MsftSecIntel/status/1395138347601854465', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries', 'https://www.gdatasoftware.com/blog/strrat-crimson', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://www.jaiminton.com/reverse-engineering/strrat', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain', 'https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape', 'https://forensicitguy.github.io/strrat-attached-to-msi/', 'https://www.jaiminton.com/reverse-engineering/strrat#', 'https://isc.sans.edu/diary/rss/27798', 'https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf']}\n", "SupremeBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot', 'https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/'], 'synonyms': ['BlazeBot']}\n", "Verblecon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jar.verblecon', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord']}\n", "AIRBREAK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk', 'http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html', 'https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html'], 'synonyms': ['Orz']}\n", "Bateleur {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-niagara', 'https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/']}\n", "BELLHOP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf']}\n", "CACTUSTORCH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch', 'https://github.com/mdsecactivebreach/CACTUSTORCH', 'https://www.macnica.net/file/mpression_automobile.pdf', 'https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/', 'https://www.codercto.com/a/46729.html', 'https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf', 'https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/']}\n", "ChromeBack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.chromeback', 'https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/', 'https://unit42.paloaltonetworks.com/chromeloader-malware/']}\n", "CryptoNight {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight', 'https://twitter.com/JohnLaTwC/status/983011262731714565', 'https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec']}\n", "CukieGrab {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx', 'http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/'], 'synonyms': ['Roblox Trade Assist']}\n", "DarkWatchman {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman', 'https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/', 'https://www.prevailion.com/darkwatchman-new-fileness-techniques/']}\n", "DNSRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat', 'https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf'], 'synonyms': ['DNSbot']}\n", "doenerium {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.doenerium', 'https://twitter.com/0xToxin/status/1572612089901993985']}\n", "Enrume {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.enrume', 'https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/'], 'synonyms': ['Ransom32']}\n", "EVILNUM (Javascript) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum', 'http://blog.nsfocus.net/agentvxapt-evilnum/', 'https://github.com/eset/malware-ioc/tree/master/evilnum', 'https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/', 'https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw', 'http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html', 'https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/', 'https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets', 'https://securelist.com/deathstalker-mercenary-triumvirate/98177/', 'https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf']}\n", "FAKEUPDATES {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates', 'https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends', 'https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html', 'https://www.menlosecurity.com/blog/increase-in-attack-socgholish', 'https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/', 'https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/', 'https://twitter.com/MsftSecIntel/status/1522690116979855360', 'https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html', 'https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt', 'https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee', 'https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems', 'https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html', 'https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://experience.mandiant.com/trending-evil/p/1', 'https://www.lac.co.jp/lacwatch/report/20220407_002923.html', 'https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm'], 'synonyms': ['FakeUpdate', 'SocGholish']}\n", "GootLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader', 'https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/', 'https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader', 'https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/', 'https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/', 'https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/', 'https://community.riskiq.com/article/f5d5ed38', 'https://redcanary.com/blog/gootloader', 'https://experience.mandiant.com/trending-evil/p/1', 'https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/', 'https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf', 'https://dinohacks.blogspot.com/2022/06/loading-gootloader.html']}\n", "grelos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos', 'https://www.riskiq.com/blog/labs/magecart-medialand/', 'https://community.riskiq.com/article/8c4b4a7a', 'https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745']}\n", "Griffon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.secureworks.com/research/threat-profiles/gold-niagara', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/', 'https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.mandiant.com/resources/evolution-of-fin7', 'https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/', 'https://twitter.com/ItsReallyNick/status/1059898708286939136'], 'synonyms': ['Harpy']}\n", "inter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.inter', 'https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html']}\n", "Jeniva {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.jeniva', 'https://imp0rtp3.wordpress.com/2021/08/12/tetris/']}\n", "Jetriz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.jetriz', 'https://imp0rtp3.wordpress.com/2021/08/12/tetris/']}\n", "jspRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.jsprat', 'https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators', 'https://www.mandiant.com/resources/fin13-cybercriminal-mexico']}\n", "KopiLuwak {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak', 'https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack', 'https://securelist.com/shedding-skin-turlas-fresh-faces/88069/', 'https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf']}\n", "LNKR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr', 'https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/', 'https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md', 'https://github.com/Zenexer/lnkr', 'https://www.riskiq.com/blog/labs/lnkr-browser-extension/']}\n", "magecart {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart', 'https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/', 'https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf', 'https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/', 'https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/', 'https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/', 'https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/', 'https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/', 'https://community.riskiq.com/article/743ea75b/description', 'https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf', 'https://sansec.io/research/north-korea-magecart', 'https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html', 'https://www.reflectiz.com/the-gocgle-web-skimming-campaign/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.goggleheadedhacker.com/blog/post/14', 'https://www.riskiq.com/blog/labs/magecart-nutribullet/', 'https://twitter.com/AffableKraut/status/1415425132080816133?s=20', 'https://twitter.com/MBThreatIntel/status/1416101496022724609', 'https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/', 'https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/', 'https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/', 'https://www.riskiq.com/blog/labs/magecart-medialand/', 'https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/', 'https://geminiadvisory.io/magecart-google-tag-manager/', 'https://community.riskiq.com/article/fda1f967', 'https://sansec.io/research/magento-2-persistent-parasite', 'https://community.riskiq.com/article/2efc2782', 'https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter', 'https://www.riskiq.com/blog/labs/magecart-group-12-olympics/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/', 'https://sansec.io/research/magecart-corona-lockdown', 'https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/', 'https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/', 'https://community.riskiq.com/article/017cf2e6', 'https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/', 'https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/', 'https://community.riskiq.com/article/30f22a00', 'https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/', 'https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/', 'https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html', 'https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/', 'https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/', 'https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/', 'https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218', 'https://community.riskiq.com/article/14924d61', 'https://community.riskiq.com/article/5bea32aa', 'https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://twitter.com/AffableKraut/status/1385030485676544001', 'https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf', 'https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/', 'https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html', 'https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html', 'https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/']}\n", "MiniJS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.minijs', 'https://www.virustotal.com/gui/file/0ce9aadf6a3ffd85d6189590ece148b2f9d69e0ce1c2b8eb61361eb8d0f98571/details']}\n", "More_eggs {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs', 'https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/', 'https://blog.morphisec.com/cobalt-gang-2.0', 'https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/', 'https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish', 'https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire', 'https://www.secureworks.com/research/threat-profiles/gold-kingswood', 'http://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html', 'https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/', 'https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/', 'https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing', 'https://attack.mitre.org/software/S0284/', 'https://asert.arbornetworks.com/double-the-infection-double-the-fun/', 'https://github.com/eset/malware-ioc/tree/master/evilnum', 'https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/', 'https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw', 'https://twitter.com/Arkbird_SOLG/status/1301536930069278727', 'https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers', 'https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware', 'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf'], 'synonyms': ['SKID', 'SpicyOmelette']}\n", "NanHaiShu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu', 'https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf', 'https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets', 'https://attack.mitre.org/software/S0228/', 'https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering']}\n", "NodeRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat', 'https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf', 'https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/']}\n", "ostap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/', 'https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter', 'https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/', 'https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/', 'https://www.intrinsec.com/deobfuscating-hunting-ostap/', 'https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/', 'https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/']}\n", "Parrot TDS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.parrot_tds', 'https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/']}\n", "PeaceNotWar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.peacenotwar', 'https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/', 'https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c', 'https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers']}\n", "Powmet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet', 'http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/']}\n", "QNodeService {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice', 'https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/', 'https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf']}\n", "QUICKCAFE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe', 'https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf']}\n", "scanbox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/', 'http://resources.infosecinstitute.com/scanbox-framework/', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk', 'https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global', 'https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea', 'https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks', 'https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/']}\n", "SQLRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/']}\n", "Starfighter (Javascript) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter', 'https://github.com/Cn33liz/StarFighters']}\n", "Swid {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.swid', 'https://imp0rtp3.wordpress.com/2021/08/12/tetris/']}\n", "HTML5 Encoding {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext', 'https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/']}\n", "Maintools.js {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools', 'https://twitter.com/JohnLaTwC/status/915590893155098629']}\n", "Unidentified JS 001 (APT32 Profiler) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001', 'https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef', 'https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f']}\n", "Unidentified JS 003 (Emotet Downloader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003', 'https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/']}\n", "Unidentified JS 004 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004', 'https://marcoramilli.com/2020/11/27/threat-actor-unkown/']}\n", "Unidentified JS 005 (Stealer) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_005', 'https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html']}\n", "Unidentified JS 002 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002']}\n", "Valak {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.valak', 'https://security-soup.net/analysis-of-valak-maldoc/', 'https://unit42.paloaltonetworks.com/valak-evolution/', 'https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7', 'https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/', 'https://twitter.com/malware_traffic/status/1207824548021886977', 'https://blog.talosintelligence.com/2020/07/valak-emerges.html', 'https://unit42.paloaltonetworks.com/atoms/monsterlibra/', 'https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/', 'https://www.cybereason.com/blog/valak-more-than-meets-the-eye', 'https://threatresearch.ext.hp.com/detecting-ta551-domains/'], 'synonyms': ['Valek']}\n", "witchcoven {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven', 'https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf']}\n", "Godzilla Webshell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/', 'https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/', 'https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/']}\n", "AppleJeus (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://securelist.com/operation-applejeus-sequel/95596/', 'https://objective-see.com/blog/blog_0x54.html', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a', 'https://objective-see.com/blog/blog_0x49.html', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e', 'https://objective-see.com/blog/blog_0x5F.html', 'https://securelist.com/operation-applejeus/87553/', 'https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c', 'https://www.youtube.com/watch?v=1NkzTKkEM2k', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d', 'https://us-cert.cisa.gov/ncas/alerts/aa21-048a', 'https://www.youtube.com/watch?v=rjA0Vf75cYk', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b', 'https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/']}\n", "Bella {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella', 'https://github.com/kai5263499/Bella', 'https://threatintel.blog/OPBlueRaven-Part2/', 'https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/']}\n", "Bundlore {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore', 'https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c', 'https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20', 'https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/'], 'synonyms': ['SurfBuyer']}\n", "Careto {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto', 'https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed'], 'synonyms': ['Appetite', 'Mask']}\n", "Casso {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.casso', 'https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/']}\n", "CDDS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds', 'https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/', 'https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/', 'https://objective-see.com/blog/blog_0x69.html'], 'synonyms': ['Macma']}\n", "Choziosi (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.choziosi', 'https://redcanary.com/blog/chromeloader/', 'https://www.th3protocol.com/2022/Choziosi-Loader', 'https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension', 'https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/'], 'synonyms': ['ChromeLoader', 'Chropex']}\n", "CloudMensis {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.cloud_mensis', 'https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/']}\n", "CoinThief {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief', 'https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/', 'https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed']}\n", "Coldroot RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat', 'https://objective-see.com/blog/blog_0x2A.html', 'https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf']}\n", "Convuster {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster', 'https://securelist.com/convuster-macos-adware-in-rust/101258/']}\n", "CpuMeaner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner', 'https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/']}\n", "CreativeUpdater {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater', 'https://digitasecurity.com/blog/2018/02/05/creativeupdater/', 'https://objective-see.com/blog/blog_0x29.html', 'https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/']}\n", "Crisis {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis', 'https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines', 'https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?', 'http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html']}\n", "Crossrider {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider', 'https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social']}\n", "Dacls (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://objective-see.com/blog/blog_0x57.html', 'https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability', 'https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/', 'https://www.sygnia.co/mata-framework', 'https://objective-see.com/blog/blog_0x5F.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/', 'https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/']}\n", "DarthMiner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer', 'https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/']}\n", "DazzleSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.dazzle_spy', 'https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/', 'https://objective-see.com/blog/blog_0x6D.html']}\n", "Dockster {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster', 'http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html', 'https://www.f-secure.com/weblog/archives/00002466.html']}\n", "Dummy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy', 'https://objective-see.com/blog/blog_0x32.html']}\n", "Eleanor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor', 'https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/']}\n", "ElectroRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat', 'https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/', 'https://objective-see.com/blog/blog_0x61.html', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf']}\n", "EvilOSX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx', 'https://twitter.com/JohnLaTwC/status/966139336436498432', 'https://github.com/Marten4n6/EvilOSX']}\n", "EvilQuest {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://objective-see.com/blog/blog_0x59.html', 'https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/', 'https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/', 'https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/', 'https://objective-see.com/blog/blog_0x5F.html', 'https://github.com/gdbinit/evilquest_deobfuscator', 'https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities', 'https://twitter.com/dineshdina04/status/1277668001538433025', 'https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/'], 'synonyms': ['ThiefQuest']}\n", "FailyTale {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale', 'https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/']}\n", "FinFisher (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher', 'https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/', 'https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/', 'https://securelist.com/finspy-unseen-findings/104322/', 'https://objective-see.com/blog/blog_0x5F.html', 'https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/', 'https://objective-see.com/blog/blog_0x4F.html']}\n", "FlashBack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback', 'https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed', 'http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html', 'https://en.wikipedia.org/wiki/Flashback_(Trojan)', 'http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html', 'https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities'], 'synonyms': ['FakeFlash']}\n", "FruitFly {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly', 'https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/', 'https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/', 'https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html', 'https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf', 'https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/', 'https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/'], 'synonyms': ['Quimitchin']}\n", "GIMMICK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick', 'https://cybersecuritynews.com/gimmick-malware-attacks/', 'https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/']}\n", "Gmera {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera', 'https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/', 'https://objective-see.com/blog/blog_0x53.html'], 'synonyms': ['Kassi', 'StockSteal']}\n", "HiddenLotus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus', 'https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/']}\n", "iMuler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler', 'https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/', 'http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html', 'https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/'], 'synonyms': ['Revir']}\n", "Janicab {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab', 'https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html', 'https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/', 'https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/', 'https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/', 'https://archive.f-secure.com/weblog/archives/00002576.html', 'https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/', 'https://www.macmark.de/blog/osx_blog_2013-08-a.php', 'https://securelist.com/deathstalker-mercenary-triumvirate/98177/', 'https://www.malwarology.com/posts/5-janicab-part_1/']}\n", "KeRanger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger', 'http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/', 'https://objective-see.com/blog/blog_0x16.html', 'https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html']}\n", "Keydnap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap', 'http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/', 'https://objective-see.com/blog/blog_0x16.html', 'https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/', 'https://github.com/eset/malware-ioc/tree/master/keydnap']}\n", "Kitmos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos', 'https://www.f-secure.com/weblog/archives/00002558.html'], 'synonyms': ['KitM']}\n", "Komplex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf', 'http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'https://objective-see.com/blog/blog_0x16.html', 'https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/'], 'synonyms': ['JHUHUGIT', 'JKEYSKW', 'SedUploader']}\n", "Lador {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.lador', 'https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/']}\n", "Lambert (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.lambert', 'https://objective-see.com/blog/blog_0x68.html'], 'synonyms': ['GreenLambert']}\n", "Laoshu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu', 'https://objective-see.com/blog/blog_0x16.html', 'https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/']}\n", "Leverage {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage', 'https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/', 'https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis']}\n", "MacDownloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://iranthreats.github.io/resources/macdownloader-macos-malware/']}\n", "MacInstaller {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller', 'https://objective-see.com/blog/blog_0x16.html']}\n", "MacRansom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom', 'https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service', 'https://objective-see.com/blog/blog_0x1E.html']}\n", "MacSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy', 'https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service']}\n", "MacVX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx', 'https://objective-see.com/blog/blog_0x16.html']}\n", "MaMi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami', 'https://objective-see.com/blog/blog_0x26.html']}\n", "Manuscrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt', 'https://twitter.com/BitsOfBinary/status/1321488299932983296', 'https://www.anquanke.com/post/id/223817', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://twitter.com/BitsOfBinary/status/1337330286787518464']}\n", "Mokes (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes', 'https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/', 'https://objective-see.com/blog/blog_0x16.html', 'https://objective-see.com/blog/blog_0x53.html']}\n", "Mughthesec {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec', 'https://objective-see.com/blog/blog_0x20.html']}\n", "OceanLotus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus', 'https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries', 'https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam', 'https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html', 'https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/', 'https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/', 'https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468', 'https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update', 'https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html', 'https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/']}\n", "Olyx {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx', 'http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html', 'https://news.drweb.com/show/?i=1750&lng=en&c=14']}\n", "oRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt', 'https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/', 'https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf']}\n", "OSAMiner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer', 'https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/']}\n", "Patcher {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher', 'http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/'], 'synonyms': ['FileCoder', 'Findzip']}\n", "PintSized {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized', 'https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/']}\n", "Pirrit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit', 'http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/', 'http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf', 'https://forensicitguy.github.io/analyzing-pirrit-adware-installer/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf']}\n", "Proton RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat', 'https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/', 'https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does', 'https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/', 'https://securelist.com/calisto-trojan-for-macos/86543/', 'https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/', 'https://objective-see.com/blog/blog_0x1F.html', 'https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/', 'https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf', 'https://objective-see.com/blog/blog_0x1D.html'], 'synonyms': ['Calisto']}\n", "Pwnet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet', 'https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/']}\n", "Dok {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe', 'https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/', 'https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe', 'https://www.govcert.admin.ch/blog/33/the-retefe-saga', 'http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/'], 'synonyms': ['Retefe']}\n", "Shlayer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer', 'https://objective-see.com/blog/blog_0x64.html', 'https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/', 'https://securelist.com/shlayer-for-macos/95724/', 'https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/', 'https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities']}\n", "Silver Sparrow {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow', 'https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis', 'https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf']}\n", "SysJoker (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.sysjoker', 'https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/', 'https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/', 'https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html', 'https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/']}\n", "systemd {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd', 'https://securelist.com/windealer-dealing-on-the-side/105946/', 'https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf', 'https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en'], 'synonyms': ['Demsty', 'ReverseWindow']}\n", "Tsunami (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami', 'https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks']}\n", "Unidentified macOS 001 (UnionCryptoTrader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001', 'https://objective-see.com/blog/blog_0x51.html', 'https://securelist.com/operation-applejeus-sequel/95596/']}\n", "UpdateAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.update_agent', 'https://twitter.com/sysopfb/status/1532442456343691273', 'https://www.jamf.com/blog/updateagent-adapts-again/', 'https://www.esentire.com/blog/updateagent-macos-malware', 'https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/']}\n", "Uroburos (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos', 'https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/', 'https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/']}\n", "Vigram {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram', 'https://twitter.com/ConfiantIntel/status/1351559054565535745', 'https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/', 'https://twitter.com/MsftSecIntel/status/1451279679059488773'], 'synonyms': ['WizardUpdate']}\n", "WatchCat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat', 'https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/', 'https://objective-see.com/blog/blog_0x5F.html']}\n", "WindTail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail', 'https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf', 'https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56', 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf', 'https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/', 'https://objective-see.com/blog/blog_0x3B.html', 'https://objective-see.com/blog/blog_0x3D.html', 'https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/']}\n", "Winnti (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti', 'https://401trg.pw/winnti-evolution-going-open-source/']}\n", "WireLurker (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf', 'https://objective-see.com/blog/blog_0x16.html']}\n", "Wirenet (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet', 'http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html', 'https://objective-see.com/blog/blog_0x43.html', 'https://news.drweb.com/show/?i=2679&lng=en&c=14']}\n", "X-Agent (OS X) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent', 'https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf', 'https://twitter.com/PhysicalDrive0/status/845009226388918273', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/']}\n", "XCSSET {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset', 'https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/', 'https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html', 'https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/', 'https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html', 'https://objective-see.com/blog/blog_0x5F.html', 'https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf', 'https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities', 'https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/']}\n", "Xloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader', 'https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/', 'https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer', 'https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://twitter.com/krabsonsecurity/status/1319463908952969216', 'https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/', 'https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/', 'https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/', 'https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/', 'https://www.lac.co.jp/lacwatch/report/20220307_002893.html', 'https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption'], 'synonyms': ['Formbook']}\n", "XSLCmd {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd', 'https://objective-see.com/blog/blog_0x16.html', 'https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html']}\n", "Yort {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort', 'https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/', 'https://objective-see.com/blog/blog_0x53.html']}\n", "ZuRu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/osx.zuru', 'https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html', 'https://objective-see.com/blog/blog_0x66.html']}\n", "Ani-Shell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell', 'http://ani-shell.sourceforge.net/', 'https://github.com/tennc/webshell/tree/master/php/Ani-Shell'], 'synonyms': ['anishell']}\n", "ANTAK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.antak', 'https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'http://www.labofapenetrationtester.com/2014/06/introducing-antak.html']}\n", "ASPXSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.aspxspy', 'https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells', 'https://attack.mitre.org/groups/G0096']}\n", "Behinder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.behinder', 'https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/']}\n", "c99shell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.c99', 'https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html'], 'synonyms': ['c99']}\n", "DEWMODE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode', 'https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf', 'https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a', 'https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf']}\n", "Ensikology {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology', 'https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/'], 'synonyms': ['Ensiko']}\n", "Parrot TDS WebShell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.parrot_tds_shell', 'https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/']}\n", "PAS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.pas', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf', 'https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm', 'https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://blog.erratasec.com/2016/12/some-notes-on-iocs.html']}\n", "Prometheus Backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.prometheus_backdoor', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://blog.group-ib.com/prometheus-tds']}\n", "RedHat Hacker WebShell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker', 'https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp']}\n", "WSO {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/php.wso', 'https://securelist.com/energetic-bear-crouching-yeti/85345/', 'https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903'], 'synonyms': ['Webshell by Orb']}\n", "Silence DDoS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos', 'https://www.group-ib.com/resources/threat-research/silence.html']}\n", "BlackSun {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.blacksun', 'https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html']}\n", "BONDUPDATER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater', 'https://ironnet.com/blog/chirp-of-the-poisonfrog/', 'https://nsfocusglobal.com/apt34-event-analysis-report/', 'https://www.netscout.com/blog/asert/tunneling-under-sands', 'https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/', 'https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/', 'https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/', 'https://marcoramilli.com/2019/05/02/apt34-glimpse-project/', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae', 'https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/'], 'synonyms': ['Glimpse', 'Poison Frog']}\n", "CASHY200 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200', 'https://unit42.paloaltonetworks.com/atoms/hunter-serpens/', 'https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/']}\n", "FlowerPower {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf', 'https://www.youtube.com/watch?v=rfzmHjZX70s', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://vblocalhost.com/uploads/VB2020-46.pdf', 'https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf'], 'synonyms': ['BoBoStealer']}\n", "FRat Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md']}\n", "FTCODE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode', 'https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/', 'https://www.certego.net/en/news/malware-tales-ftcode/', 'https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html', 'https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/', 'https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm', 'https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md', 'https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities']}\n", "GhostMiner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer', 'https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/', 'https://research.checkpoint.com/malware-against-the-c-monoculture/', 'https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless']}\n", "JasperLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader', 'https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html', 'https://blog.threatstop.com/upgraded-jasperloader-infecting-machines', 'https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html', 'https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html']}\n", "Lazyscripter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lazyscripter', 'https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter']}\n", "LightBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot', 'https://twitter.com/VK_Intel/status/1329511151202349057', 'https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/']}\n", "Octopus (Powershell) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus', 'https://isc.sans.edu/diary/rss/28628', 'https://github.com/mhaskar/Octopus', 'https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf', 'https://isc.sans.edu/diary/26918']}\n", "OilRig {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig', 'https://threatpost.com/oilrig-apt-unique-backdoor/157646/', 'https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html', 'https://twitter.com/MJDutch/status/1074820959784321026?s=19']}\n", "POSHSPY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy', 'https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html', 'https://github.com/matthewdunwoody/POSHSPY']}\n", "PowerBrace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerbrace', 'https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor', 'https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/']}\n", "PowerPepper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper', 'https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/', 'https://twitter.com/InQuest/status/1285295975347650562']}\n", "POWERPIPE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html']}\n", "POWERPLANT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerplant', 'https://www.mandiant.com/resources/evolution-of-fin7']}\n", "powershell_web_backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor', 'https://github.com/chrisjd20/powershell_web_backdoor']}\n", "PowerShortShell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershortshell', 'https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/']}\n", "PowerShower {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower', 'https://attack.mitre.org/groups/G0100/', 'https://securelist.com/recent-cloud-atlas-activity/92016/', 'https://attack.mitre.org/groups/G0100', 'https://securelist.com/recent-cloud-atlas-activity/92016', 'https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/', 'https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability', 'https://unit42.paloaltonetworks.com/atoms/clean-ursa', 'https://unit42.paloaltonetworks.com/atoms/clean-ursa/']}\n", "POWERSOURCE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf']}\n", "PowerSpritz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz', 'https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf']}\n", "POWERSTATS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats', 'https://www.secureworks.com/research/threat-profiles/cobalt-ulster', 'https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/', 'https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/', 'https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/', 'https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html', 'http://www.secureworks.com/research/threat-profiles/cobalt-ulster', 'https://unit42.paloaltonetworks.com/atoms/boggyserpens/', 'https://blog.prevailion.com/2020/01/summer-mirage.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-055a', 'https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/', 'https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/', 'https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html', 'https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/', 'https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/', 'https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611', 'https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/', 'https://securelist.com/apt-trends-report-q2-2019/91897/'], 'synonyms': ['Valyria']}\n", "POWERTON {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton', 'https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html', 'https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html', 'https://www.symantec.com/security-center/writeup/2019-062513-4935-99', 'https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/', 'https://norfolkinfosec.com/apt33-powershell-malware/', 'https://www.secureworks.com/research/threat-profiles/cobalt-trinity', 'https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/']}\n", "POWERTRASH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powertrash', 'https://www.mandiant.com/resources/evolution-of-fin7']}\n", "PowerWare {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware', 'https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats']}\n", "PowerZure {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure', 'https://github.com/hausec/PowerZure']}\n", "PowGoop {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-055a', 'https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/', 'https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/', 'https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant', 'https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/', 'https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf', 'https://unit42.paloaltonetworks.com/thanos-ransomware/', 'https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east']}\n", "POWRUNER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner', 'https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae']}\n", "PresFox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox', 'https://twitter.com/kafeine/status/1092000556598677504']}\n", "QUADAGENT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent', 'https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca', 'https://youtu.be/pBDu8EGWRC4?t=2492', 'https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae', 'https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html']}\n", "RMOT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.rmot', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html']}\n", "RogueRobin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin', 'https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/', 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/', 'https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca']}\n", "Schtasks {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks', 'https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1']}\n", "skyrat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.skyrat', 'https://github.com/YSCHGroup/SkyRAT']}\n", "sLoad {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload', 'https://blog.minerva-labs.com/sload-targeting-europe-again', 'https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy', 'https://threatpost.com/sload-spying-payload-delivery-bits/151120/', 'https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/', 'https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/', 'https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/', 'https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/', 'https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html', 'https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf', 'https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9', 'https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/', 'https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan', 'https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/'], 'synonyms': ['Starslord']}\n", "Snugy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.snugy', 'https://unit42.paloaltonetworks.com/atoms/hunter-serpens/', 'https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/']}\n", "Swrort Stager {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.swrort', 'https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf']}\n", "Tater PrivEsc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater', 'https://github.com/Kevin-Robertson/Tater']}\n", "ThunderShell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell', 'https://github.com/Mr-Un1k0d3r/ThunderShell']}\n", "Unidentified PS 001 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001', 'https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/']}\n", "Unidentified PS 002 (RAT) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002', 'https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/', 'https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/']}\n", "Unidentified PS 003 (RAT) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_003', 'https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/']}\n", "WannaMine {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine', 'https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/', 'https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/', 'https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/', 'https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/', 'https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry', 'https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf']}\n", "WannaRen Downloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader', 'https://twitter.com/blackorbird/status/1247834024711577601']}\n", "WMImplant {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant', 'https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html']}\n", "Archivist {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist', 'https://github.com/NullArray/Archivist']}\n", "Ares (Python) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.ares', 'https://github.com/sweetsoftware/Ares']}\n", "BrickerBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot', 'http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f', 'https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/', 'https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/', 'http://seclists.org/fulldisclosure/2017/Mar/7', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/', 'https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A', 'https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/']}\n", "DropboxC2C {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c', 'https://github.com/0x09AL/DropboxC2C']}\n", "Guard {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.guard', 'https://securelist.com/wildpressure-targets-macos/103072/']}\n", "KeyPlexer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer', 'https://github.com/nairuzabulhul/KeyPlexer']}\n", "LaZagne {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne', 'https://github.com/AlessandroZ/LaZagne', 'https://attack.mitre.org/groups/G0100/', 'https://attack.mitre.org/groups/G0100', 'https://www.infinitumit.com.tr/apt-35/', 'https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx', 'https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf', 'https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/', 'https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/']}\n", "Lofy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.lofy', 'https://securelist.com/lofylife-malicious-npm-packages/107014/'], 'synonyms': ['LofyLife']}\n", "Loki RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.lokirat', 'https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/']}\n", "N3Cr0m0rPh {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph', 'https://github.com/lacework/lacework-labs/tree/master/keksec', 'https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr', 'https://twitter.com/xuy1202/status/1393384128456794116', 'https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/', 'https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/', 'https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/', 'https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html', 'https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/', 'https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/', 'https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/', 'https://www.lacework.com/the-kek-security-network/', 'https://twitter.com/xuy1202/status/1392089568384454657', 'https://www.lacework.com/keksec-tsunami-ryuk/'], 'synonyms': ['FreakOut', 'Necro']}\n", "NetWorm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.networm', 'https://github.com/pylyf/NetWorm']}\n", "PIRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.pirat', 'https://vk.com/m228228?w=wall306895781_177']}\n", "Poet RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://blog.talosintelligence.com/2020/10/poetrat-update.html', 'https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html', 'https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/', 'https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/']}\n", "pupy (Python) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://www.secureworks.com/research/threat-profiles/cobalt-trinity', 'https://github.com/n1nj4sec/pupy']}\n", "PyArk {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.pyark', 'https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/']}\n", "pyback {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.pyback', 'https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001', 'https://github.com/7h3w4lk3r/pyback']}\n", "PyVil {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil', 'https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat', 'https://twitter.com/ESETresearch/status/1360178593968623617']}\n", "Responder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.responder', 'https://github.com/lgandx/Responder', 'https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/'], 'synonyms': ['SpiderLabs Responder']}\n", "Saphyra {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra', 'https://www.youtube.com/watch?v=Bk-utzAlYFI', 'https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/']}\n", "Serpent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.serpent', 'https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html', 'https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/', 'https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain']}\n", "SpaceCow {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow', 'https://github.com/TheSph1nx/SpaceCow']}\n", "stealler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler', 'https://habr.com/en/sandbox/135410/']}\n", "Stitch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.stitch', 'https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/', 'https://github.com/nathanlopez/Stitch']}\n", "unidentified_002 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002']}\n", "unidentified_003 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003']}\n", "Venomous {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.venomous', 'https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/']}\n", "W4SP Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/py.w4sp_stealer', 'https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/']}\n", "FlexiSpy (symbian) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy', 'https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/']}\n", "CageyChameleon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon', 'https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf', 'https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/', 'https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/', 'https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314', 'https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf', 'https://www.clearskysec.com/cryptocore-group/', 'https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf']}\n", "forbiks {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks', 'https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99', 'https://persianov.net/windows-worms-forbix-worm-analysis'], 'synonyms': ['Forbix']}\n", "GGLdr {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.ggldr', 'https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control']}\n", "GlowSpark {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.glowspark', 'https://inquest.net/blog/2022/02/10/380-glowspark']}\n", "Grinju Downloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju', 'https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8', 'https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce']}\n", "HALFBAKED {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html', 'https://attack.mitre.org/software/S0151/']}\n", "Iloveyou {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou', 'https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186'], 'synonyms': ['Love Bug', 'LoveLetter']}\n", "lampion {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion', 'https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html', 'https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf', 'https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/', 'https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years', 'https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/', 'https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/', 'https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader', 'https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing', 'https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/']}\n", "lockscreen {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lockscreen', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/']}\n", "MOUSEISLAND {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.mouseisland', 'https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html']}\n", "NodeJS Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom', 'https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html']}\n", "Starfighter (VBScript) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter', 'https://github.com/Cn33liz/StarFighters']}\n", "STARWHALE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starwhale', 'https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/', 'https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611', 'https://www.mandiant.com/resources/telegram-malware-iranian-espionage', 'https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html', 'https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/', 'https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html', 'https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html', 'https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706'], 'synonyms': ['Canopy', 'SloughRAT']}\n", "Unidentified VBS 001 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001', 'https://twitter.com/JohnLaTwC/status/1118278148993339392']}\n", "Unidentified 002 (Operation Kremlin) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002', 'https://www.clearskysec.com/operation-kremlin/']}\n", "Unidentified 003 (Gamaredon Downloader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003', 'https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/', 'https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt']}\n", "Unidentified VBS 004 (RAT) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_004', 'https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/']}\n", "WhiteShadow {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/vbs.whiteshadow', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware']}\n", "000Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.000stealer', 'https://twitter.com/3xp0rtblog/status/1509978637189419008']}\n", "404 Keylogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger', 'https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware', 'https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger', 'https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html', 'https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/', 'https://habr.com/ru/company/group-ib/blog/477198/', 'https://cert.gov.ua/article/955924', 'https://blog.netlab.360.com/purecrypter', 'https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/', 'https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter', 'https://twitter.com/James_inthe_box/status/1401921257109561353', 'https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89', 'https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/', 'https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/', 'https://www.youtube.com/watch?v=vzyJp2w8bPE', 'https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware'], 'synonyms': ['404KeyLogger', 'Snake Keylogger']}\n", "4h_rat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat', 'https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf', 'https://attack.mitre.org/groups/G0024']}\n", "7ev3n {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n', 'https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n', 'https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/']}\n", "8.t Dropper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper', 'https://blog.malwarelab.pl/posts/on_the_royal_road/', 'https://community.riskiq.com/article/5fe2da7f', 'https://nao-sec.org/2021/01/royal-road-redive.html', 'https://securelist.com/cycldek-bridging-the-air-gap/97157/', 'https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/', 'https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/', 'https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746', 'https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf', 'https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/', 'https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f', 'https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf', 'https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?', 'https://community.riskiq.com/article/56fa1b2f', 'https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/', 'https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf', 'https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241', 'https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology'], 'synonyms': ['8t_dropper', 'RoyalRoad']}\n", "9002 RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.9002', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://www.secureworks.com/research/threat-profiles/bronze-firestone', 'https://www.secureworks.com/research/threat-profiles/bronze-express', 'https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://www.infopoint-security.de/medien/the-elderwood-project.pdf', 'https://attack.mitre.org/groups/G0001/', 'https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn', 'https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/', 'https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html', 'https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/', 'http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf', 'https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf'], 'synonyms': ['HOMEUNIX', 'Hydraq', 'McRAT']}\n", "Abaddon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon', 'https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/']}\n", "AbaddonPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos', 'https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software', 'https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/', 'https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/', 'https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak', 'https://medium.com/s2wlab/operation-synctrek-e5013df8d167', 'https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/'], 'synonyms': ['PinkKite', 'TinyPOS']}\n", "abantes {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes']}\n", "Abbath Banker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker']}\n", "AbSent Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader', 'https://twitter.com/cocaman/status/1260069549069733888', 'https://github.com/Tlgyt/AbSent-Loader']}\n", "ACBackdoor (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor', 'https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/']}\n", "ACEHASH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html', 'https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/']}\n", "AcidBox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://blog.talosintelligence.com/2020/08/attribution-puzzle.html', 'https://www.epicturla.com/blog/acidbox-clustering', 'https://unit42.paloaltonetworks.com/acidbox-rare-malware/'], 'synonyms': ['MagicScroll']}\n", "AcridRain {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain', 'https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/']}\n", "Acronym {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym']}\n", "Adamantium Thief {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief', 'https://github.com/LimerBoy/Adamantium-Thief', 'https://twitter.com/ClearskySec/status/1377176015189929989']}\n", "AdamLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016', 'https://twitter.com/JaromirHorejsi/status/813712587997249536']}\n", "Adhubllka {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka', 'https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign']}\n", "AdKoob {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob', 'https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/']}\n", "AdvisorsBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot', 'https://www.bromium.com/second-stage-attack-analysis/', 'https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot']}\n", "Adylkuzz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz', 'https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar']}\n", "Afrodita {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita', 'https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html', 'https://twitter.com/_CPResearch_/status/1201957880909484033', 'https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md']}\n", "AgendaCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt', 'https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/', 'https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt'], 'synonyms': ['Agenda']}\n", "Agent.BTZ {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz', 'https://docs.broadcom.com/doc/waterbug-attack-group', 'https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d', 'https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/', 'https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf', 'https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'http://www.intezer.com/new-variants-of-agent-btz-comrat-found/', 'https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf', 'https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/', 'http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a', 'http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/', 'https://unit42.paloaltonetworks.com/ironnetinjector/'], 'synonyms': ['ComRAT', 'Minit', 'Sun rootkit']}\n", "Agent Tesla {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla', 'https://inquest.net/blog/2021/11/02/adults-only-malware-lures', 'https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/', 'https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4', 'https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/', 'https://blog.netlab.360.com/purecrypter', 'https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire', 'https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/', 'https://youtu.be/BM38OshcozE', 'https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/', 'https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/', 'https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/', 'https://youtu.be/hxaeWyK8gMI', 'https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/', 'https://isc.sans.edu/diary/27666', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware', 'https://forensicitguy.github.io/agenttesla-vba-certutil-download/', 'https://guillaumeorlando.github.io/AgentTesla', 'https://cert.gov.ua/article/861292', 'https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/', 'https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-galleon', 'https://www.inde.nz/blog/inside-agenttesla', 'https://isc.sans.edu/diary/rss/28190', 'https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/', 'https://community.riskiq.com/article/56e28880', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware', 'http://blog.nsfocus.net/sweed-611/', 'https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads', 'https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/', 'https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/', 'https://www.youtube.com/watch?v=Q9_1xNbVQPY', 'https://www.secureworks.com/research/threat-profiles/gold-galleon', 'https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/', 'https://news.sophos.com/en-us/2020/05/14/raticate/', 'https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html', 'https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/', 'https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://www.lac.co.jp/lacwatch/report/20220307_002893.html', 'https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla', 'https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/', 'https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant', 'https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/', 'https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/', 'https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/', 'https://unit42.paloaltonetworks.com/originlogger/', 'https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?', 'https://menshaway.blogspot.com/2021/04/agenttesla-malware.html', 'https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/', 'https://isc.sans.edu/diary/28202', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf', 'https://community.riskiq.com/article/6337984e', 'https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/', 'https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/', 'https://isc.sans.edu/diary/rss/27092', 'https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting', 'https://malwarebookreports.com/agent-teslaggah/', 'https://blog.minerva-labs.com/preventing-agenttesla', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/', 'https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine', 'https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/', 'https://lab52.io/blog/a-twisted-malware-infection-chain/', 'https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor', 'https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/', 'https://twitter.com/MsftSecIntel/status/1392219299696152578', 'https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry', 'https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware', 'https://blog.malwarelab.pl/posts/basfu_aggah/', 'https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader', 'https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns', 'https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf', 'https://www.telsy.com/download/4832/', 'https://youtu.be/QQuRp7Qiuzg', 'https://asec.ahnlab.com/ko/29133/', 'https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/', 'https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://malwatch.github.io/posts/agent-tesla-malware-analysis/', 'https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/', 'https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr', 'https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html', 'https://isc.sans.edu/diary/27088', 'https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/', 'https://community.riskiq.com/article/40000d46', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware', 'http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/', 'https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/', 'https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update', 'https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ', 'https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/', 'https://guillaumeorlando.github.io/GorgonInfectionchain', 'https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['AgenTesla', 'AgentTesla', 'Negasteal']}\n", "AgfSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy', 'https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html']}\n", "Ahtapot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ahtapot', 'https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf']}\n", "Albaniiutas {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas', 'https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia', 'https://blog.group-ib.com/task'], 'synonyms': ['BlueTraveller']}\n", "Aldibot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot', 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot']}\n", "Alfonso Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer', 'https://twitter.com/3xp0rtblog/status/1344352253294104576']}\n", "Project Alice {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm', 'http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/', 'https://www.symantec.com/security-center/writeup/2016-122104-0203-99', 'https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html'], 'synonyms': ['AliceATM', 'PrAlice']}\n", "Alina POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos', 'http://www.xylibox.com/2013/02/alina-34-pos-malware.html', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/', 'https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/'], 'synonyms': ['alina_eagle', 'alina_spark', 'katrina']}\n", "AllaKore {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore', 'https://twitter.com/_re_fox/status/1212070711206064131', 'https://github.com/Anderson-D/AllaKore', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt', 'https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf', 'https://blog.talosintelligence.com/2021/07/sidecopy.html']}\n", "Allaple {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple', 'https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf', 'https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/'], 'synonyms': ['Starman']}\n", "Almanahe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.almanahe', 'https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process']}\n", "Alma Communicator {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator', 'https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/', 'https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/']}\n", "AlmaLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker']}\n", "AlmondRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.almondrat', 'https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/']}\n", "ALPC Local PrivEsc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe', 'https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/']}\n", "Alphabet Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware', 'https://twitter.com/JaromirHorejsi/status/813714602466877440']}\n", "AlphaLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker', 'https://blog.cylance.com/an-introduction-to-alphalocker']}\n", "AlphaNC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc', 'https://www.secureworks.com/research/threat-profiles/nickel-gladstone', 'https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group']}\n", "Alreay {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay', 'https://securelist.com/blog/sas/77908/lazarus-under-the-hood/']}\n", "Alureon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon', 'https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf', 'http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html', 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt', 'http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html', 'http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html', 'https://www.youtube.com/watch?v=FttiysUZmDw', 'https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/', 'https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/'], 'synonyms': ['Olmarik', 'Pihar', 'TDL', 'TDSS', 'wowlik']}\n", "Amadey {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey', 'https://twitter.com/0xffff0800/status/1062948406266642432', 'https://www.anquanke.com/post/id/230116', 'https://nao-sec.org/2019/04/Analyzing-amadey.html', 'https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware', 'https://twitter.com/ViriBack/status/1062405363457118210', 'https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/', 'https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become', 'https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/', 'https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4', 'https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://isc.sans.edu/diary/27264', 'https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer']}\n", "AMTsol {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol', 'http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf', 'https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/'], 'synonyms': ['Adupihan']}\n", "Anatova Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom', 'https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/']}\n", "Anchor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor', 'https://unit42.paloaltonetworks.com/ryuk-ransomware/', 'https://isc.sans.edu/diary/27308', 'https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns', 'https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware', 'https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607', 'https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/', 'https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns', 'https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/', 'https://www.netscout.com/blog/asert/dropping-anchor', 'https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf', 'https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/', 'https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth', 'https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/']}\n", "AnchorMail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormail', 'https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/', 'https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/', 'https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine', 'https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/']}\n", "Andromeda {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda', 'https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis', 'https://redcanary.com/blog/intelligence-insights-november-2021/', 'https://eternal-todo.com/blog/andromeda-gamarue-loves-json', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/', 'https://blog.avast.com/andromeda-under-the-microscope', 'https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features', 'https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/', 'http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/', 'http://resources.infosecinstitute.com/andromeda-bot-analysis/', 'http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/', 'https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html', 'https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/', 'https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/', 'http://blog.morphisec.com/andromeda-tactics-analyzed', 'https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf'], 'synonyms': ['B106-Gamarue', 'B67-SS-Gamarue', 'Gamarue', 'b66']}\n", "AndroMut {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut', 'https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf'], 'synonyms': ['Gelup']}\n", "Anel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.anel', 'https://www.secureworks.com/research/threat-profiles/bronze-riverside', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/'], 'synonyms': ['UPPERCUT', 'lena']}\n", "AnteFrigus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus', 'http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html', 'https://github.com/albertzsigovits/malware-notes/blob/master/Antefrigus.md']}\n", "Antilam {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam'], 'synonyms': ['Latinus']}\n", "Anubis (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis', 'https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/', 'https://twitter.com/MsftSecIntel/status/1298752223321546754'], 'synonyms': ['Anubis Stealer']}\n", "Anubis Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis_loader', 'https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/', 'https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/', 'https://windowsreport.com/kraken-botnet/', 'https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/', 'https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e'], 'synonyms': ['Kraken', 'Pepega']}\n", "Apocalipto {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto', 'https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf']}\n", "Apocalypse {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom', 'http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/']}\n", "Apostle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.apostle', 'https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/', 'https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/', 'https://assets.sentinelone.com/sentinellabs/evol-agrius', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf']}\n", "AppleJeus (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d', 'https://us-cert.cisa.gov/ncas/alerts/aa21-048a', 'https://www.telsy.com/download/5394/?uid=28b0a4577e', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c', 'https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a', 'https://twitter.com/VK_Intel/status/1182730637016481793']}\n", "Appleseed {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed', 'https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf', 'https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf', 'https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf', 'https://www.youtube.com/watch?v=Dv2_DK3tRgI', 'https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf', 'https://www.telsy.com/download/5654/?uid=4869868efd', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf', 'https://www.youtube.com/watch?v=rfzmHjZX70s', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/', 'https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/', 'https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf', 'https://asec.ahnlab.com/en/30532/', 'https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf', 'https://asec.ahnlab.com/ko/26705/', 'https://asec.ahnlab.com/ko/36918/'], 'synonyms': ['JamBog']}\n", "ArdaMax {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax', 'https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf']}\n", "Arefty {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty', 'http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/']}\n", "Ares (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ares', 'https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan', 'https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga']}\n", "ArguePatch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.arguepatch', 'https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/']}\n", "Aria-body {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody', 'https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1', 'https://securelist.com/it-threat-evolution-q2-2020/98230', 'https://securelist.com/naikons-aria/96899/', 'https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/']}\n", "Arid Gopher {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.aridgopher', 'https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant', 'https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/']}\n", "AridHelper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.aridhelper', 'https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant']}\n", "Arik Keylogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger', 'http://remote-keylogger.net/'], 'synonyms': ['Aaron Keylogger']}\n", "Arkei Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer', 'https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer', 'https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets', 'https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/', 'https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://isc.sans.edu/diary/rss/28468'], 'synonyms': ['ArkeiStealer']}\n", "ARS VBS Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader', 'https://twitter.com/Racco42/status/1001374490339790849', 'https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/', 'https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/']}\n", "ARTFULPIE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-045e', 'https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/']}\n", "Artra Downloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.artra', 'https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/', 'https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english', 'https://www.freebuf.com/articles/database/192726.html', 'https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf', 'https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/']}\n", "Asbit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.asbit', 'https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan']}\n", "AscentLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader']}\n", "ASPC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc']}\n", "Asprox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox', 'https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign', 'https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/', 'http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/'], 'synonyms': ['Aseljo', 'BadSrc']}\n", "Asruex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex', 'https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/', 'https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html']}\n", "Astaroth {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962', 'https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf', 'https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/', 'https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research', 'https://blog.easysol.net/meet-lucifer-international-trojan/', 'https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/', 'https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/', 'https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/', 'https://blog.talosintelligence.com/2020/05/astaroth-analysis.html', 'https://isc.sans.edu/diary/27482', 'https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt', 'https://securelist.com/the-tetrade-brazilian-banking-malware/97779/', 'https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/'], 'synonyms': ['Guildma']}\n", "AstraLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker', 'https://www.emsisoft.com/ransomware-decryption-tools/astralocker', 'https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/', 'https://blog.malwarebytes.com/ransomware/2022/07/astralocker-2-0-ransomware-isnt-going-to-give-you-your-files-back/', 'https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs']}\n", "AsyncRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat', 'https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html', 'https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html', 'https://community.riskiq.com/article/3929ede0/description', 'https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf', 'https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign', 'https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service', 'https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader', 'https://eln0ty.github.io/malware%20analysis/asyncRAT/', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware', 'https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html', 'https://community.riskiq.com/article/ade260c6', 'https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages', 'https://blog.netlab.360.com/purecrypter', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html', 'https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat', 'https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html', 'https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html', 'https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/', 'https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html', 'https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf', 'https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/', 'https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser', 'https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat', 'https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/', 'https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html', 'https://twitter.com/ESETresearch/status/1449132020613922828', 'https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader', 'https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html', 'https://labs.k7computing.com/?p=21759', 'https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise', 'https://twitter.com/MsftSecIntel/status/1392219299696152578', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt', 'https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html', 'https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt', 'https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://community.riskiq.com/article/24759ad2', 'https://www.esentire.com/blog/asyncrat-activity', 'https://aidenmitchell.ca/asyncrat-via-vbs/', 'https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html', 'https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight', 'https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel', 'https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html', 'https://twitter.com/vxunderground/status/1519632014361640960', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://blog.morphisec.com/syk-crypter-discord', 'https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/', 'https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia', 'https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/', 'https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf', 'https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/', 'https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique', 'https://threatpost.com/ta2541-apt-rats-aviation/178422/']}\n", "AthenaGo RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago']}\n", "ATI-Agent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent', 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/']}\n", "ATMii {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii', 'https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/']}\n", "ATMitch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch', 'https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/', 'https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf', 'https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/']}\n", "Atmosphere {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere', 'https://www.group-ib.com/resources/threat-research/silence.html', 'https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/']}\n", "ATMSpitter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter', 'http://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf', 'https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf']}\n", "ATOMSILO {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo', 'https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/', 'https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/', 'https://twitter.com/siri_urz/status/1437664046556274694?s=20', 'https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "Attor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.attor', 'https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html', 'https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/', 'https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami', 'https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform', 'https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf', 'https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/', 'https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/']}\n", "August Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer', 'https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html', 'https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene']}\n", "Auriga {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf'], 'synonyms': ['Riodrv']}\n", "Aurora {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora', 'https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/', 'https://twitter.com/malwrhunterteam/status/1001461507513880576', 'https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/'], 'synonyms': ['OneKeyLocker']}\n", "Avaddon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon', 'https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure', 'https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/', 'https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis', 'https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire', 'https://www.swascan.com/it/avaddon-ransomware/', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.tgsoft.it/files/report/download.asp?id=568531345', 'https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/', 'https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/', 'https://www.connectwise.com/resources/avaddon-profile', 'https://twitter.com/dk_samper/status/1348560784285167617', 'https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://arxiv.org/pdf/2102.04796.pdf', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/', 'https://www.mandiant.com/resources/chasing-avaddon-ransomware', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://twitter.com/Securityinbits/status/1271065316903120902', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/']}\n", "AvastDisabler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler', 'https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/']}\n", "AVCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt', 'https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/']}\n", "AvD Crypto Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.avd', 'https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/']}\n", "Aveo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo', 'http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/', 'https://www.secureworks.com/research/threat-profiles/bronze-overbrook']}\n", "Ave Maria {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria', 'https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat', 'https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html', 'https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html', 'http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery', 'https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA', 'https://reaqta.com/2019/04/ave_maria-malware-part1/', 'https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat', 'https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique', 'https://www.youtube.com/watch?v=T0tdj1WDioM', 'https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html', 'https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf', 'https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware', 'https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.youtube.com/watch?v=-G82xh9m4hc', 'https://blog.yoroi.company/research/the-ave_maria-malware/', 'https://asec.ahnlab.com/en/36629/', 'https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/', 'https://www.youtube.com/watch?v=81fdvmGmRvM', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://blog.morphisec.com/syk-crypter-discord', 'https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest', 'https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1', 'https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html', 'https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/'], 'synonyms': ['AVE_MARIA', 'AveMariaRAT', 'Warzone RAT', 'WarzoneRAT', 'avemaria']}\n", "AvosLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker', 'https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group', 'https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html', 'https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html', 'https://www.ic3.gov/Media/News/2022/220318.pdf', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker', 'https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/', 'https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/', 'https://unit42.paloaltonetworks.com/emerging-ransomware-groups/', 'https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape', 'https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen', 'https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "Avzhan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan', 'https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/']}\n", "Ayegent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent']}\n", "Aytoke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke', 'https://www.youtube.com/watch?v=FttiysUZmDw', 'https://snort.org/rule_docs/1-34217']}\n", "Azorult {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult', 'https://community.riskiq.com/article/56e28880', 'https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/', 'https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html', 'https://community.riskiq.com/article/2a36a7d2/description', 'https://fr3d.hk/blog/gazorp-thieving-from-thieves', 'https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware', 'https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign', 'https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update', 'https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/', 'https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/', 'https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/', 'https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html', 'https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html', 'https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html', 'https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html', 'https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05', 'https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/', 'https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/', 'https://medium.com/s2wlab/operation-synctrek-e5013df8d167', 'https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/', 'https://twitter.com/DrStache_/status/1227662001247268864', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html', 'https://www.youtube.com/watch?v=EyDiIAt__dI', 'https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html', 'https://asec.ahnlab.com/en/26517/', 'https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/', 'https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf', 'https://isc.sans.edu/diary/25120', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside', 'https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/', 'https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/', 'https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers', 'https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/', 'https://securelist.com/azorult-analysis-history/89922/', 'https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/', 'https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/', 'https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/', 'https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/', 'https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/', 'https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan', 'https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/', 'https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/', 'https://unit42.paloaltonetworks.com/cybersquatting/', 'https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['PuffStealer', 'Rultazo']}\n", "Babar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.babar', 'http://www.spiegel.de/media/media-35683.pdf', 'https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope', 'https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/', 'https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/', 'https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/'], 'synonyms': ['SNOWBALL']}\n", "Babuk (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/', 'https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/', 'https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/', 'https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f', 'https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/', 'https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/', 'https://securelist.com/ransomware-world-in-2021/102169/', 'https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt', 'https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1', 'https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/', 'https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/', 'https://twitter.com/Sebdraven/status/1346377590525845504', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/', 'https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62', 'https://twitter.com/GossiTheDog/status/1409117153182224386', 'https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2', 'https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf', 'http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/', 'https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/', 'https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b', 'https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf', 'https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/', 'https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf', 'https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/', 'https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/', 'https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/', 'https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html', 'https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/', 'https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings', 'https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html'], 'synonyms': ['Babyk', 'Vasa Locker']}\n", "BabyLon RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat', 'https://twitter.com/KorbenD_Intel/status/1110654679980085262']}\n", "BABYMETAL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.mandiant.com/resources/evolution-of-fin7', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000', 'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html']}\n", "BabyShark {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries', 'https://twitter.com/i/web/status/1099147896950185985', 'https://www.youtube.com/watch?v=Dv2_DK3tRgI', 'https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html', 'https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf', 'https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite', 'https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf', 'https://us-cert.cisa.gov/ncas/alerts/aa20-301a', 'https://www.youtube.com/watch?v=rfzmHjZX70s', 'https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1', 'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/', 'https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html', 'https://blog.alyac.co.kr/3352', 'https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf']}\n", "BACKBEND {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf']}\n", "BackConfig {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig', 'https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/', 'https://unit42.paloaltonetworks.com/atoms/thirstygemini/']}\n", "BackNet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet', 'https://github.com/valsov/BackNet']}\n", "Backoff POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff', 'https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/']}\n", "backspace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-geneva', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/', 'https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf'], 'synonyms': ['Lecna', 'ZRLnk']}\n", "BackSwap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap', 'https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/', 'https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi', 'https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/', 'https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/', 'https://explore.group-ib.com/htct/hi-tech_crime_2018', 'https://www.cert.pl/en/news/single/backswap-malware-analysis/', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/', 'https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf', 'https://research.checkpoint.com/the-evolution-of-backswap/']}\n", "BADCALL (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall', 'https://www.us-cert.gov/ncas/analysis-reports/ar19-252a', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf']}\n", "BadEncript {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript', 'https://twitter.com/PhysicalDrive0/status/833067081981710336']}\n", "badflick {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick', 'https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html', 'https://blog.amossys.fr/badflick-is-not-so-bad.html']}\n", "BADHATCH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch', 'https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/']}\n", "BadNews {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews', 'https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/', 'https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/', 'https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait', 'https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf', 'https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign', 'https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf', 'http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2', 'https://lab52.io/blog/new-patchwork-campaign-against-pakistan/', 'http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf', 'https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf']}\n", "Bagle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle', 'https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf']}\n", "Bahamut (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut', 'https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf', 'https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/', 'https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/']}\n", "Baldr {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf', 'https://www.youtube.com/watch?v=E2V4kB_gtcQ', 'https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/', 'https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/'], 'synonyms': ['Baldir']}\n", "BalkanDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door', 'https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/']}\n", "BalkanRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat', 'https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/']}\n", "Bamital {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital', 'https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/', 'https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf']}\n", "Banatrix {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix', 'https://www.cert.pl/en/news/single/banatrix-an-indepth-look/']}\n", "bancos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos', 'https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil']}\n", "Bandook {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook', 'https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf', 'https://research.checkpoint.com/2020/bandook-signed-delivered', 'https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/', 'https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot', 'https://research.checkpoint.com/2020/bandook-signed-delivered/', 'https://twitter.com/malwrhunterteam/status/796425285197561856', 'https://www.eff.org/files/2018/01/29/operation-manul.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook'], 'synonyms': ['Bandok']}\n", "bangat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat', 'https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal']}\n", "Banjori {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori', 'http://blog.kleissner.org/?p=69', 'http://blog.kleissner.org/?p=192', 'http://osint.bambenekconsulting.com/feeds/', 'https://www.johannesbader.ch/2015/02/the-dga-of-banjori/'], 'synonyms': ['BackPatcher', 'BankPatch', 'MultiBanker 2']}\n", "Bankshot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-108a', 'https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a', 'https://blog.reversinglabs.com/blog/hidden-cobra', 'https://www.secureworks.com/research/threat-profiles/nickel-gladstone', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-133a'], 'synonyms': ['COPPERHEDGE']}\n", "Barb(ie) Downloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.barbie', 'https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials']}\n", "BarbWire {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.barbwire', 'https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials']}\n", "barkiofork {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.barkiofork', 'https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry']}\n", "Bart {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bart', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf']}\n", "BatchWiper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper', 'https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs', 'http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html']}\n", "Batel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.batel', 'https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks']}\n", "BazarBackdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor', 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti', 'https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/', 'https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/', 'https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9', 'https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/', 'https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware', 'https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware', 'https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/', 'https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html', 'https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident', 'https://abnormalsecurity.com/blog/bazarloader-contact-form', 'https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html', 'https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue', 'https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf', 'https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/', 'https://www.scythe.io/library/threatthursday-ryuk', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I', 'https://unit42.paloaltonetworks.com/api-hammering-malware-families/', 'https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf', 'https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire', 'https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/', 'https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/', 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/', 'https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/', 'https://www.crowdstrike.com/blog/wizard-spider-adversary-update/', 'https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets', 'https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/', 'https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://johannesbader.ch/blog/yet-another-bazarloader-dga/', 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html', 'https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/', 'https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth', 'https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/', 'https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/', 'https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/', 'https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d', 'https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/', 'https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike', 'https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group', 'https://fr3d.hk/blog/campo-loader-simple-but-effective', 'https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/', 'https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II', 'https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/', 'https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv', 'https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/', 'https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf', 'https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/', 'https://isc.sans.edu/diary/27308', 'https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/', 'https://intel471.com/blog/conti-leaks-ransomware-development', 'https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/', 'https://experience.mandiant.com/trending-evil/p/1', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor', 'https://twitter.com/anthomsec/status/1321865315513520128', 'https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/', 'https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/', 'https://twitter.com/Unit42_Intel/status/1458113934024757256', 'https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/', 'https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e', 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf', 'https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf', 'https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/', 'https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors', 'https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/', 'https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/', 'https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html', 'https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor', 'https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf', 'https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/', 'https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf', 'https://cofense.com/blog/bazarbackdoor-stealthy-infiltration', 'https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/', 'https://thedfirreport.com/2021/01/31/bazar-no-ryuk/', 'https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html', 'https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/', 'https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/', 'https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors', 'https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html', 'https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/', 'https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/', 'https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day', 'https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html', 'https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/', 'https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon', 'https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/', 'https://malwarebookreports.com/bazarloader-back-from-holiday-break/', 'https://forensicitguy.github.io/bazariso-analysis-advpack/', 'https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/', 'https://unit42.paloaltonetworks.com/bazarloader-malware/', 'https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/', 'https://www.youtube.com/watch?v=uAkeXCYcl4Y', 'https://unit42.paloaltonetworks.com/ryuk-ransomware/', 'https://thedfirreport.com/2020/10/08/ryuks-return/', 'https://thedfirreport.com/2021/12/13/diavol-ransomware/', 'https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/', 'https://www.hhs.gov/sites/default/files/bazarloader.pdf', 'https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/', 'https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/'], 'synonyms': ['BEERBOT', 'KEGTAP', 'Team9Backdoor', 'bazaloader', 'bazarloader']}\n", "BazarNimrod {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176', 'https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware', 'https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e', 'https://twitter.com/James_inthe_box/status/1357009652857196546', 'https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811'], 'synonyms': ['NimzaLoader']}\n", "BBSRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat', 'https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf', 'https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae', 'https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/', 'https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb']}\n", "BBtok {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bbtok', 'https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/']}\n", "Beapy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy', 'https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china']}\n", "Bedep {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep', 'https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/index.html']}\n", "Bee {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bee', 'https://www.virustotal.com/gui/file/38f9ce7243c7851d67b24eb53b16177147f38dfffe201c5bedefe260d22ac908/detection']}\n", "beendoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor', 'https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf']}\n", "BeepService {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice', 'https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators']}\n", "Belonard {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard', 'https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0']}\n", "Berbomthum {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.berbomthum', 'https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/']}\n", "BernhardPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos', 'https://securitykitten.github.io/2015/07/14/bernhardpos.html', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-07-14-bernhardpos.md']}\n", "BestKorea {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bestkorea', 'https://github.com/Jacquais/BestKorea']}\n", "BetaBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html', 'https://www.cybereason.com/blog/betabot-banking-trojan-neurevt', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html', 'https://news.sophos.com/en-us/2020/05/14/raticate/', 'https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39', 'http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref', 'https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en', 'http://www.xylibox.com/2015/04/betabot-retrospective.html', 'https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/'], 'synonyms': ['Neurevt']}\n", "Bezigate {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate', 'https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf']}\n", "BfBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot']}\n", "BHunt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt', 'https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger', 'https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf', 'https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/']}\n", "BI_D Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware', 'http://zirconic.net/2018/07/bi_d-ransomware/', 'http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/']}\n", "bifrose {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bifrose', 'https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/', 'https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html']}\n", "BillGates {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates', 'https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/', 'https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/', 'https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server', 'https://habrahabr.ru/post/213973/', 'https://securelist.com/versatile-ddos-trojan-for-linux/64361/', 'https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html', 'https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf']}\n", "Binanen {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.binanen', 'https://www.secureworks.com/research/threat-profiles/bronze-fleetwood', 'https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Binanen-B/detailed-analysis.aspx']}\n", "BioData {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata', 'https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/', 'https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/', 'https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/', 'https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/']}\n", "bioload {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bioload', 'https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html']}\n", "BIOPASS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.biopass', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf', 'https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html']}\n", "Biscuit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf'], 'synonyms': ['zxdosml']}\n", "BISTROMATH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath', 'https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-045a', 'https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/', 'https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/', 'https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/']}\n", "BitPyLock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock', 'https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/', 'https://twitter.com/malwrhunterteam/status/1215252402988822529', 'https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview']}\n", "Bitsran {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran', 'https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf', 'https://content.fireeye.com/apt/rpt-apt38', 'http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html'], 'synonyms': ['SHADYCAT']}\n", "Bitter RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat', 'https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/', 'https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/', 'https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/', 'https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf', 'https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html', 'https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan']}\n", "BitRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat', 'https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/', 'https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/', 'https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf', 'https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/', 'https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/', 'https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/', 'https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/', 'https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html', 'https://community.riskiq.com/article/ade260c6', 'https://www.youtube.com/watch?v=CYm3g4zkQdw', 'https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware', 'https://asec.ahnlab.com/en/32781/', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf', 'https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md', 'https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat', 'https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities', 'https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html']}\n", "Bizzaro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bizarro', 'https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/']}\n", "BKA Trojaner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner', 'https://www.evild3ad.com/405/bka-trojaner-ransomware/'], 'synonyms': ['bwin3_bka']}\n", "Black Basta {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta', 'https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware', 'https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/', 'https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/', 'https://gbhackers.com/black-basta-ransomware/', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://securelist.com/luna-black-basta-ransomware/106950', 'https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla', 'https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware', 'https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape', 'https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/', 'https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html', 'https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/', 'https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/', 'https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta', 'https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html', 'https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware'], 'synonyms': ['no_name_software']}\n", "BlackByte {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte', 'https://www.ic3.gov/Media/News/2022/220211.pdf', 'https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants', 'https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html', 'https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html', 'https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/', 'https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape', 'https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/', 'https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape', 'https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure', 'https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte', 'https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/', 'https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace', 'https://redcanary.com/blog/blackbyte-ransomware/']}\n", "BlackCat (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat', 'https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809', 'https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/', 'https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape', 'https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/', 'https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/', 'https://blog.group-ib.com/blackcat', 'https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf', 'https://killingthebear.jorgetesta.tech/actors/alphv', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html', 'https://unit42.paloaltonetworks.com/blackcat-ransomware/', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/', 'https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf', 'https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html', 'https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022', 'https://www.ic3.gov/Media/News/2022/220420.pdf', 'https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware', 'https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware', 'https://www.intrinsec.com/alphv-ransomware-gang-analysis', 'https://www.varonis.com/blog/alphv-blackcat-ransomware', 'https://securelist.com/a-bad-luck-blackcat/106254/', 'https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/', 'https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments', 'https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware', 'https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html', 'https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/', 'https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/', 'https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/', 'https://github.com/f0wl/blackCatConf', 'https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'], 'synonyms': ['ALPHV', 'Noberus']}\n", "BLACKCOFFEE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee', 'https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/', 'https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf', 'https://www.youtube.com/watch?v=NFJqD-LcpIg', 'https://attack.mitre.org/groups/G0001/', 'http://malware-log.hatenablog.com/entry/2015/05/18/000000_1', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk', 'https://attack.mitre.org/software/S0069/', 'https://attack.mitre.org/groups/G0096', 'http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://attack.mitre.org/groups/G0025/'], 'synonyms': ['PNGRAT', 'ZoxPNG', 'gresim']}\n", "BlackEnergy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy', 'https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/', 'https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://attack.mitre.org/groups/G0034', 'https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf', 'https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf', 'http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf', 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games', 'https://securelist.com/black-ddos/36309/', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf', 'http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf', 'https://threatconnect.com/blog/casting-a-light-on-blackenergy/', 'https://marcusedmondson.com/2019/01/18/black-energy-analysis/', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/', 'https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.secureworks.com/research/blackenergy2', 'https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf', 'https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/', 'https://www.secureworks.com/research/threat-profiles/iron-viking', 'https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection']}\n", "BlackGuard {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard', 'https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/', 'https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm', 'https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/', 'https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data', 'https://www.youtube.com/watch?v=Fd8WjxzY2_g', 'https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html', 'https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/', 'https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer', 'https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/', 'https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/', 'https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5', 'https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4', 'https://cyberint.com/blog/research/blackguard-stealer/', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking']}\n", "BlackKingdom Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware', 'https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html', 'https://news.sophos.com/en-us/2021/03/23/black-kingdom/', 'https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities', 'https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html', 'https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html', 'https://securelist.com/black-kingdom-ransomware/102873/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "BlackMatter (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter', 'https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/', 'https://blog.group-ib.com/blackmatter#', 'https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809', 'https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf', 'https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/', 'https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf', 'https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://www.glimps.fr/lockbit3-0/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2', 'https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/', 'https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html', 'https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf', 'https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://www.mandiant.com/resources/cryptography-blackmatter-ransomware', 'https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service', 'https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/', 'https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/', 'https://www.netskope.com/blog/netskope-threat-coverage-blackmatter', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/', 'https://www.youtube.com/watch?v=NIiEcOryLpI', 'https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/', 'https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/', 'https://twitter.com/GelosSnake/status/1451465959894667275', 'https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d', 'https://blog.minerva-labs.com/blackmatter', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/', 'https://www.mandiant.com/resources/chasing-avaddon-ransomware', 'https://www.varonis.com/blog/blackmatter-ransomware/', 'https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/', 'https://us-cert.cisa.gov/ncas/alerts/aa21-291a', 'https://blog.group-ib.com/blackmatter2', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/']}\n", "BlackNET RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat', 'https://labs.k7computing.com/?p=21365', 'https://github.com/FarisCode511/BlackNET/', 'https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/', 'https://github.com/BlackHacker511/BlackNET/', 'http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html', 'https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware', 'https://github.com/mave12/BlackNET-3.7.0.1']}\n", "BlackNix RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknix_rat', 'https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb']}\n", "BlackPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/', 'https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf'], 'synonyms': ['Kaptoxa', 'MMon', 'POSWDS', 'Reedum']}\n", "BlackRemote {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote', 'https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/', 'https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/', 'https://news.sophos.com/en-us/2020/05/14/raticate/'], 'synonyms': ['BlackRAT']}\n", "BlackRevolution {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution']}\n", "BlackRouter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter', 'https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/'], 'synonyms': ['BLACKHEART']}\n", "Blackruby {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby', 'https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/', 'https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware']}\n", "BlackShades {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades', 'https://www.secureworks.com/research/threat-profiles/aluminum-saratoga', 'https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/', 'https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/', 'https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/', 'http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html']}\n", "BlackSoul {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksoul', 'https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/']}\n", "Blackworm RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blackworm_rat', 'https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html', 'https://github.com/BlackHacker511/BlackWorm', 'https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/']}\n", "BleachGap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bleachgap', 'https://labs.k7computing.com/index.php/bleachgap-revamped/']}\n", "BLINDINGCAN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan', 'https://www.hvs-consulting.de/lazarus-report/', 'https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf', 'https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html', 'https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a'], 'synonyms': ['DRATzarus RAT']}\n", "BLINDTOAD {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blindtoad', 'https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/', 'https://content.fireeye.com/apt/rpt-apt38', 'https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html']}\n", "Blister {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blister', 'https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://elastic.github.io/security-research/malware/2022/05/02.blister/article/', 'https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign', 'https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/', 'https://twitter.com/MsftSecIntel/status/1522690116979855360', 'https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html', 'https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/', 'https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/', 'https://redcanary.com/blog/intelligence-insights-january-2022/'], 'synonyms': ['COLORFAKE']}\n", "BloodyStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bloodystealer', 'https://twitter.com/3xp0rtblog/status/1380087553676697617', 'https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/']}\n", "BlueSky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bluesky', 'https://unit42.paloaltonetworks.com/bluesky-ransomware/', 'https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/']}\n", "BLUETHER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bluether', 'https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf', 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf'], 'synonyms': ['CAPGELD']}\n", "BluStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer', 'https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs', 'https://twitter.com/GoSecure_Inc/status/1437435265350397957', 'https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer', 'https://decoded.avast.io/anhho/blustealer/', 'https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord'], 'synonyms': ['a310logger']}\n", "BOATLAUNCH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch', 'https://www.mandiant.com/resources/evolution-of-fin7']}\n", "Boaxxe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe', 'https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/']}\n", "Bobik {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bobik', 'https://decoded.avast.io/martinchlumecky/bobik/']}\n", "Bohmini {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini']}\n", "Bolek {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek', 'https://securelist.com/kbot-sometimes-they-come-back/96157/', 'http://www.cert.pl/news/11379', 'https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt'], 'synonyms': ['KBOT']}\n", "Book of Eli {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bookofeli', 'https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/']}\n", "Bookworm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bookworm', 'https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/']}\n", "BOOSTWRITE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html']}\n", "BOOTWRECK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/', 'https://content.fireeye.com/apt/rpt-apt38'], 'synonyms': ['MBRkiller']}\n", "Borat RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.boratrat', 'https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/', 'https://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/', 'https://blogs.blackberry.com/en/2022/04/threat-thursday-boratrat']}\n", "Borr {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.borr', 'https://telegra.ph/Borr-Malware-02-04', 'https://github.com/onek1lo/Borr-Stealer', 'https://twitter.com/ViriBack/status/1222704498923032576']}\n", "Bouncer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "Bozok {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe', 'https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html']}\n", "BRAIN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.brain', 'https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/']}\n", "Brambul {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.us-cert.gov/ncas/alerts/TA18-149A', \"https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1\", \"https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1\", \"https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2\", 'https://www.us-cert.gov/ncas/analysis-reports/AR18-149A', 'https://www.secureworks.com/research/threat-profiles/nickel-academy', 'https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/', \"https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2\", 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf'], 'synonyms': ['SORRYBRUTE']}\n", "BravoNC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc', 'https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group']}\n", "BrbBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot', 'https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md']}\n", "BreachRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat', 'https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html']}\n", "Breakthrough {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader']}\n", "Bredolab {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab', 'https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html']}\n", "BrittleBush {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.brittle_bush', 'https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage']}\n", "BROLER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.broler', 'https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf'], 'synonyms': ['down_new']}\n", "BrushaLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader', 'https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later', 'https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/', 'https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html']}\n", "Brute Ratel C4 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4', 'https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v']}\n", "BrutPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos', 'https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html']}\n", "BS2005 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005', 'https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://github.com/nccgroup/Royal_APT', 'https://www.secureworks.com/research/threat-profiles/bronze-palace']}\n", "BTCWare {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware', 'https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/']}\n", "BUBBLEWRAP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap', 'https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html', 'https://attack.mitre.org/software/S0043/']}\n", "Buer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.buer', 'https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader', 'https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/', 'https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust', 'https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware', 'https://twitter.com/SophosLabs/status/1321844306970251265', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program', 'https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96', 'https://blog.minerva-labs.com/stopping-buerloader', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://twitter.com/StopMalvertisin/status/1182505434231398401', 'http://www.secureworks.com/research/threat-profiles/gold-symphony', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace', 'http://www.secureworks.com/research/threat-profiles/gold-blackburn', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf', 'https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/', 'https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html', 'https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf', 'https://blog.group-ib.com/prometheus-tds', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/', 'https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/', 'https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['Buerloader', 'RustyBuer']}\n", "BUFFETLINE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.buffetline', 'https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-045f']}\n", "BUGHATCH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bughatch', 'https://www.elastic.co/security-labs/bughatch-malware-analysis']}\n", "Buhtrap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/', 'https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/', 'https://www.group-ib.com/brochures/gib-buhtrap-report.pdf', 'https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/', 'https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/', 'https://www.scythe.io/library/threatthursday-buhtrap', 'https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code', 'https://malware-research.org/carbanak-source-code-leaked/', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack', 'https://www.welivesecurity.com/2015/04/09/operation-buhtrap/', 'https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/'], 'synonyms': ['Ratopak']}\n", "BumbleBee {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee', 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti', 'https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/', 'https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine', 'https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/', 'https://isc.sans.edu/diary/rss/28636', 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/', 'https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/', 'https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/', 'https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control', 'https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns', 'https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks', 'https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/', 'https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike', 'https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html', 'https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest', 'https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/', 'https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g', 'https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/', 'https://isc.sans.edu/diary/rss/28664', 'https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise', 'https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime', 'https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader', 'https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/', 'https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056', 'https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming', 'https://isc.sans.edu/diary/28636', 'https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/']}\n", "Bundestrojaner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner', 'http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf', 'https://www.f-secure.com/weblog/archives/00002249.html'], 'synonyms': ['0zapftis', 'R2D2']}\n", "Bunitu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/', 'https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/', 'https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/', 'http://malware-traffic-analysis.net/2017/05/09/index.html', 'https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/', 'https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/']}\n", "Buterat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat', 'http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html'], 'synonyms': ['spyvoltar']}\n", "Buzus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A'], 'synonyms': ['Yimfoca']}\n", "BYEBY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby', 'https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/', 'https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan', 'https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/', 'https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/', 'https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia', 'https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/', 'https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan']}\n", "c0d0so0 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0']}\n", "CabArt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart']}\n", "CaddyWiper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://n0p.me/2022/03/2022-03-26-caddywiper/', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper', 'https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/', 'https://www.nioguard.com/2022/03/analysis-of-caddywiper.html', 'https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works', 'https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/', 'https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/', 'https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/', 'https://twitter.com/ESETresearch/status/1503436420886712321', 'https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine', 'https://cert.gov.ua/article/39518', 'https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/', 'https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/', 'https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/', 'https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/', 'https://twitter.com/silascutler/status/1513870210398363651', 'https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html', 'https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://cybersecuritynews.com/destructive-data-wiper-malware/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://twitter.com/HackPatch/status/1503538555611607042', 'https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html', 'https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/', 'https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine'], 'synonyms': ['KillDisk.NCX']}\n", "CadelSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy', 'https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets', 'http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf'], 'synonyms': ['Cadelle']}\n", "CALMTHORN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn', 'https://www.youtube.com/watch?v=3cUWjojQXWE', 'https://twitter.com/8th_grey_owl/status/1357550261963689985', 'https://www.datanet.co.kr/news/articleView.html?idxno=133346']}\n", "Cameleon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon', 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html'], 'synonyms': ['StormKitty']}\n", "campoloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader', 'https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/', 'https://unit42.paloaltonetworks.com/bazarloader-malware/', 'https://blog.group-ib.com/prometheus-tds']}\n", "CamuBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot', 'https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/']}\n", "Cannibal Rat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat', 'http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html']}\n", "Cannon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon', 'https://unit42.paloaltonetworks.com/atoms/fighting-ursa/', 'https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/', 'https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html']}\n", "Carbanak {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak', 'https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe', 'https://www.secureworks.com/research/threat-profiles/gold-niagara', 'https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html', 'https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/', 'https://threatintel.blog/OPBlueRaven-Part2/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/', 'https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.mandiant.com/resources/evolution-of-fin7', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://unit42.paloaltonetworks.com/atoms/mulelibra/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html', 'https://threatintel.blog/OPBlueRaven-Part1/', 'https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html', 'https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest', 'https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html', 'https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html'], 'synonyms': ['Anunak', 'Sekur RAT']}\n", "Carberp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp', 'https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf', 'https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://blog.avast.com/2013/04/08/carberp_epitaph/']}\n", "Cardinal RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat', 'http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412', 'https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/', 'https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf', 'https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection']}\n", "CARROTBALL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball', 'https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/']}\n", "CarrotBat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat', 'https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/', 'https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/']}\n", "Casper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.casper', 'https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/']}\n", "Catchamas {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas', 'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets']}\n", "CCleaner Backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor', 'https://www.mandiant.com/resources/pe-file-infecting-malware-ot', 'http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor', 'https://securelist.com/big-threats-using-code-similarity-part-1/97239/', 'https://risky.biz/whatiswinnti/', 'https://stmxcsr.com/persistence/print-processor.html', 'https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf', 'https://www.wired.com/story/ccleaner-malware-targeted-tech-firms', 'http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html', 'https://blog.avast.com/progress-on-ccleaner-investigation', 'https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/', 'https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident', 'https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities', 'https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/', 'https://twitter.com/craiu/status/910148928796061696', 'https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/', 'http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/', 'https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer', 'https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident', 'http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html'], 'synonyms': ['DIRTCLEANER']}\n", "CenterPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos', 'https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html'], 'synonyms': ['cerebrus']}\n", "Cerber {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/', 'https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/', 'https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.youtube.com/watch?v=y8Z9KnL8s8s']}\n", "Cerbu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner']}\n", "CetaRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ceta_rat', 'https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388']}\n", "ChaChi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chachi', 'https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat']}\n", "Chaes {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chaes', 'https://decoded.avast.io/anhho/chasing-chaes-kill-chain/']}\n", "Chainshot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot', 'https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack', 'https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/', 'https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/', 'https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec', 'https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/']}\n", "CHAIRSMACK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chairsmack', 'https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/']}\n", "Chaos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos', 'https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/', 'https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/', 'https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging', 'https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/', 'https://twitter.com/vinopaljiri/status/1519645742440329216', 'https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia', 'https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction', 'https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html'], 'synonyms': ['FakeRyuk', 'RyukJoke', 'Yashma']}\n", "Chaperone {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone', 'https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal', 'https://securelist.com/project-tajmahal/90240/', 'https://securelist.com/apt-trends-report-q2-2019/91897/'], 'synonyms': ['Taj Mahal']}\n", "CHCH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chch', 'https://twitter.com/GrujaRS/status/1205566219971125249']}\n", "ChChes {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chches', 'http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/', 'https://www.jpcert.or.jp/magazine/acreport-ChChes.html', 'https://www.secureworks.com/research/threat-profiles/bronze-riverside', 'https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html', 'https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html', 'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf'], 'synonyms': ['HAYMAKER', 'Ham Backdoor']}\n", "CHEESETRAY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-045c', 'https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/', 'https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf'], 'synonyms': ['CROWDEDFLOUNDER']}\n", "Chernolocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chernolocker', 'https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html']}\n", "CherryPicker POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/'], 'synonyms': ['cherry_picker', 'cherrypicker', 'cherrypickerpos']}\n", "ChewBacca {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca', 'http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/']}\n", "CHINACHOPPER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper', 'https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/', 'https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/', 'https://attack.mitre.org/groups/G0125/', 'https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/', 'https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf', 'https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/', 'https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html', 'https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/', 'https://twitter.com/ESETresearch/status/1366862946488451088', 'https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf', 'https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/', 'https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf', 'https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/', 'https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html', 'https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html', 'https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/', 'https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html', 'https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/', 'https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728', 'https://blog.joshlemon.com.au/hafnium-exchange-attacks/', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a', 'https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks', 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers', 'https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf', 'https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/', 'https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html', 'https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html', 'https://unit42.paloaltonetworks.com/atoms/iron-taurus/', 'https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran', 'https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers', 'https://www.secureworks.com/research/threat-profiles/bronze-president', 'https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion', 'https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers', 'https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection', 'https://us-cert.cisa.gov/ncas/alerts/aa20-259a', 'https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html', 'https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://www.secureworks.com/research/threat-profiles/bronze-express', 'https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968', 'https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html', 'https://redcanary.com/blog/microsoft-exchange-attacks', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk', 'https://us-cert.cisa.gov/ncas/alerts/aa20-275a', 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf', 'https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/', 'https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html', 'https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/', 'https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/', 'https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/', 'https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/', 'https://www.youtube.com/watch?v=rn-6t7OygGk', 'https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html', 'https://attack.mitre.org/software/S0020/', 'https://www.praetorian.com/blog/reproducing-proxylogon-exploit/', 'https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/', 'https://unit42.paloaltonetworks.com/china-chopper-webshell/', 'https://attack.mitre.org/groups/G0096', 'https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html', 'https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers', 'https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html', 'https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos', 'https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4']}\n", "Chinad {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad']}\n", "ChinaJm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chinajm', 'https://id-ransomware.blogspot.com/2020/02/chinajm-ransomware.html']}\n", "Chinotto (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto', 'https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/']}\n", "Chinoxy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy', 'https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf', 'https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746', 'https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis', 'https://community.riskiq.com/article/5fe2da7f', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://community.riskiq.com/article/56fa1b2f', 'https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists', 'https://nao-sec.org/2021/01/royal-road-redive.html', 'https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02', 'https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf']}\n", "Chir {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chir']}\n", "Chisel (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel', 'https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/', 'https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/']}\n", "ChiserClient {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client', 'https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html']}\n", "Choziosi (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.choziosi', 'https://cybergeeks.tech/chromeloader-browser-hijacker', 'https://redcanary.com/blog/chromeloader/', 'https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html'], 'synonyms': ['ChromeLoader']}\n", "Chthonic {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html', 'https://securelist.com/chthonic-a-new-modification-of-zeus/68176/', 'https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan'], 'synonyms': ['AndroKINS']}\n", "cifty {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cifty', 'http://contagiodump.blogspot.com/2009/06/win32updateexe-md5-eec80fd4c7fc5cf5522f.html']}\n", "Cinobi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi', 'http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html', 'https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf', 'https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/']}\n", "Citadel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel', 'https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/', 'https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf', 'http://www.xylibox.com/2016/02/citadel-0011-atmos.html', 'http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals']}\n", "Clambling {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling', 'https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf', 'https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/', 'https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf']}\n", "CLASSFON {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon', 'https://content.fireeye.com/apt-41/rpt-apt41/']}\n", "CLEANTOAD {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cleantoad', 'https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf']}\n", "Client Maximus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus', 'https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/']}\n", "ClipBanker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf', 'https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/', 'https://asec.ahnlab.com/en/35981/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/']}\n", "Clop {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.clop', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/', 'https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks', 'https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/', 'https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/', 'https://twitter.com/darb0ng/status/1338692764121251840', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/', 'https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/', 'https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/', 'https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/', 'https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/', 'https://medium.com/s2wlab/operation-synctrek-e5013df8d167', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2', 'https://www.secureworks.com/research/threat-profiles/gold-tahoe', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/', 'https://unit42.paloaltonetworks.com/clop-ransomware/', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html', 'https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti', 'https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot', 'https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/', 'https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf', 'https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities', 'https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/', 'https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/', 'https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/', 'https://github.com/Tera0017/TAFOF-Unpacker', 'https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html', 'https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.youtube.com/watch?v=PqGaZgepNTE', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/', 'https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever', 'https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html', 'https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://asec.ahnlab.com/en/19542/', 'https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/', 'https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/']}\n", "CloudEyE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye', 'https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/', 'https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943', 'https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/', 'https://research.checkpoint.com/2020/guloader-cloudeye/', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'https://labs.vipre.com/unloading-the-guloader/', 'https://twitter.com/VK_Intel/status/1252678206852907011', 'https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader', 'https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf', 'https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html', 'https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/', 'https://malwation.com/malware-config-extraction-diaries-1-guloader/', 'https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://www.youtube.com/watch?v=-FxyzuRv6Wg', 'https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/', 'https://www.youtube.com/watch?v=N0wAh26wShE', 'https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland', 'https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services', 'https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter', 'https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/', 'https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/', 'https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/', 'https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/', 'https://www.youtube.com/watch?v=K3Yxu_9OUxU', 'https://blog.morphisec.com/guloader-the-rat-downloader', 'https://experience.mandiant.com/trending-evil-2/p/1', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/', 'https://twitter.com/TheEnergyStory/status/1240608893610459138', 'https://twitter.com/VK_Intel/status/1257206565146370050', 'https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/', 'https://www.crowdstrike.com/blog/guloader-malware-analysis/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://labs.k7computing.com/?p=20156', 'https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update', 'https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195', 'https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4', 'https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader', 'https://www.joesecurity.org/blog/3535317197858305930', 'https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728', 'https://twitter.com/TheEnergyStory/status/1239110192060608513', 'https://twitter.com/VK_Intel/status/1255537954304524288', 'https://labs.k7computing.com/?p=21725Lokesh', 'https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two', 'https://twitter.com/sysopfb/status/1258809373159305216', 'https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/'], 'synonyms': ['GuLoader', 'vbdropper']}\n", "Cloud Duke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke', 'https://www.f-secure.com/weblog/archives/00002822.html']}\n", "CMSBrute {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute', 'https://securelist.com/the-shade-encryptor-a-double-threat/72087/']}\n", "CMSTAR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar', 'https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan', 'https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan', 'https://twitter.com/ClearskySec/status/963829930776723461', 'https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/'], 'synonyms': ['meciv']}\n", "CoalaBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html']}\n", "CobaltMirage FRP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cobaltmirage_tunnel', 'https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us', 'https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools']}\n", "Cobalt Strike {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike', 'https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/', 'https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon', 'https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ', 'https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/', 'https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/', 'https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/', 'https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure', 'https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/', 'https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/', 'https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/', 'https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html', 'https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/', 'https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/', 'http://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/', 'https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/', 'https://wbglil.gitbook.io/cobalt-strike/', 'https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware', 'https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/', 'https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/', 'https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489', 'https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734', 'https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought', 'https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/', 'https://malwarelab.eu/posts/fin6-cobalt-strike/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://asec.ahnlab.com/en/31811/', 'https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos', 'https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire', 'https://us-cert.cisa.gov/ncas/alerts/aa20-275a', 'https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html', 'https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf', 'https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html', 'https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/', 'https://connormcgarr.github.io/thread-hijacking/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf', 'https://www.contextis.com/en/blog/dll-search-order-hijacking', 'https://www.mandiant.com/media/12596/download', 'https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/', 'https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903', 'https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/', 'https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/', 'https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/', 'https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf', 'https://redcanary.com/blog/intelligence-insights-december-2021', 'https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/', 'https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64', 'https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia', 'https://www.mandiant.com/media/10916/download', 'https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/', 'https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c', 'https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt', 'https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/', 'https://twitter.com/elisalem9/status/1398566939656601606', 'https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/', 'https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/', 'https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575', 'https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/', 'https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e', 'https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems', 'https://malware-traffic-analysis.net/2021/09/29/index.html', 'https://www.secureworks.com/research/threat-profiles/bronze-president', 'https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py', 'https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware', 'https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/', 'https://blog.morphisec.com/vmware-identity-manager-attack-backdoor', 'https://twitter.com/vikas891/status/1385306823662587905', 'https://redcanary.com/blog/grief-ransomware/', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf', 'https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/', 'https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf', 'https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir', 'https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/', 'https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811', 'https://cert.gov.ua/article/703548', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/', 'https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/', 'https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/', 'https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py', 'https://asec.ahnlab.com/en/34549/', 'https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine', 'https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811', 'https://security.macnica.co.jp/blog/2022/05/iso.html', 'https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/', 'https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel', 'https://www.sans.org/webcasts/contrarian-view-solarwinds-119515', 'https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/', 'https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/', 'https://www.malware-traffic-analysis.net/2021/09/17/index.html', 'https://twitter.com/GossiTheDog/status/1438500100238577670', 'https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware', 'https://blog.group-ib.com/colunmtk_apt41', 'https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/', 'https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf', 'https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack', 'https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/', 'https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/', 'https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/', 'https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/', 'https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux', 'https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b', 'https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf', 'https://us-cert.cisa.gov/ncas/alerts/aa21-148a', 'https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee', 'https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/', 'https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/', 'https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/', 'https://www.macnica.net/file/mpression_automobile.pdf', 'https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/', 'https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks', 'https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf', 'https://asec.ahnlab.com/ko/19860/', 'https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/', 'https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia', 'https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/', 'https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure', 'https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/', 'https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf', 'https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/', 'https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims', 'https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/', 'https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications', 'https://www.accenture.com/us-en/blogs/security/ransomware-hades', 'https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf', 'https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/', 'https://www.cobaltstrike.com/support', 'https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/', 'https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/', 'https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/', 'https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/', 'https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one', 'https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/', 'https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach', 'https://isc.sans.edu/diary/rss/27618', 'https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html', 'https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g', 'https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://twitter.com/alex_lanstein/status/1399829754887524354', 'https://isc.sans.edu/diary/rss/27176', 'https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass', 'https://twitter.com/Cryptolaemus1/status/1407135648528711680', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://twitter.com/RedDrip7/status/1402640362972147717?s=20', 'https://securelist.com/apt-luminousmoth/103332/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment', 'https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/', 'https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/', 'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf', 'https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/', 'https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a', 'https://www.youtube.com/watch?v=ysN-MqyIN7M', 'https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/', 'https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine', 'https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/', 'https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent', 'https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html', 'https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf', 'https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2', 'https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/', 'https://isc.sans.edu/diary/rss/26862', 'https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/', 'https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike', 'https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf', 'https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups', 'https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9', 'https://boschko.ca/cobalt-strike-process-injection/', 'https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html', 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan', 'https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf', 'https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html', 'https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware', 'https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments', 'https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/', 'https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7', 'https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections', 'https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/', 'https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/', 'https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis', 'https://www.telsy.com/download/5972/?uid=d7c082ba55', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta', 'https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/', 'https://isc.sans.edu/diary/27308', 'https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware', 'https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis', 'https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/', 'http://blog.nsfocus.net/murenshark', 'https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx', 'https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware', 'https://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/', 'https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/', 'https://thehackernews.com/2022/05/malware-analysis-trickbot.html', 'https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/', 'https://awakesecurity.com/blog/catching-the-white-stork-in-flight/', 'https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html', 'https://pylos.co/2018/11/18/cozybear-in-from-the-cold/', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://www.youtube.com/watch?v=FC9ARZIZglI', 'https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/', 'https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b', 'https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/', 'https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/', 'https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-249a', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf', 'https://blog.group-ib.com/REvil_RaaS', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://isc.sans.edu/diary/rss/28752', 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf', 'https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns', 'https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/', 'https://github.com/Apr4h/CobaltStrikeScan', 'https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/', 'https://thedfirreport.com/2021/01/31/bazar-no-ryuk/', 'https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021', 'https://www.youtube.com/watch?v=WW0_TgWT2gs', 'https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html', 'https://www.mandiant.com/resources/spear-phish-ukrainian-entities', 'https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf', 'https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks', 'https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/', 'https://www.brighttalk.com/webcast/7451/462719', 'https://community.riskiq.com/article/f0320980', 'https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/', 'https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/', 'https://401trg.com/burning-umbrella/ ', 'https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/', 'https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf', 'https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2', 'https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks', 'https://www.youtube.com/watch?v=borfuQGrB8g', 'https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html', 'https://asec.ahnlab.com/ko/19640/', 'https://www.mandiant.com/resources/sabbath-ransomware-affiliate', 'https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/', 'https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/', 'https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/', 'https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b', 'https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/', 'https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e', 'https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html', 'https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/', 'https://twitter.com/ffforward/status/1324281530026524672', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf', 'https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html', 'https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/', 'https://rastamouse.me/ntlm-relaying-via-cobalt-strike/', 'https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html', 'https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/', 'https://twitter.com/felixw3000/status/1521816045769662468', 'https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack', 'https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/', 'https://twitter.com/cglyer/status/1480742363991580674', 'https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/', 'https://www.mandiant.com/resources/unc2452-merged-into-apt29', 'https://twitter.com/TheDFIRReport/status/1359669513520873473', 'https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf', 'https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671', 'https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion', 'https://www.secureworks.com/research/threat-profiles/bronze-riverside', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://www.youtube.com/watch?v=6SDdUVejR2w', 'https://unit42.paloaltonetworks.com/atoms/obscureserpens/', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/', 'https://cert.gov.ua/article/619229', 'https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/', 'https://www.mandiant.com/resources/evolution-of-fin7', 'http://www.secureworks.com/research/threat-profiles/gold-drake', 'https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/', 'https://github.com/sophos-cybersecurity/solarwinds-threathunt', 'https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/', 'https://www.secureworks.com/research/threat-profiles/gold-waterfall', 'https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html', 'https://www.prevailion.com/what-wicked-webs-we-unweave/', 'https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting', 'https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/', 'https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html', 'https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f', 'https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/', 'https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot', 'https://attack.mitre.org/groups/G0096', 'https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html', 'https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html', 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/', 'https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41', 'https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts', 'https://www.mandiant.com/resources/russian-targeting-gov-business', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-dupont', 'https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns', 'https://www.secureworks.com/research/threat-profiles/gold-niagara', 'https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/', 'https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/', 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/', 'https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/', 'https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks', 'https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/', 'https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/', 'https://intel471.com/blog/shipping-companies-ransomware-credentials', 'https://content.fireeye.com/m-trends/rpt-m-trends-2020', 'https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection', 'https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/', 'https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my', 'https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md', 'https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/', 'https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/', 'https://isc.sans.edu/diary/26752', 'https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/', 'https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/', 'https://mez0.cc/posts/cobaltstrike-powershell-exec/', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/', 'https://twitter.com/AltShiftPrtScn/status/1350755169965924352', 'https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv', 'https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/', 'https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718', 'https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html', 'https://twitter.com/swisscom_csirt/status/1354052879158571008', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/', 'https://www.youtube.com/watch?v=C733AyPzkoc', 'https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos', 'https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam', 'https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/', 'https://blog.macnica.net/blog/2020/11/dtrack.html', 'https://twitter.com/Unit42_Intel/status/1458113934024757256', 'https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/', 'https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/', 'https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e', 'https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf', 'https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64', 'https://blogs.blackberry.com/en/2022/01/log4u-shell4me', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf', 'https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728', 'https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control', 'https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/', 'https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf', 'https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html', 'https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike', 'https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf', 'https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730', 'https://www.youtube.com/watch?v=y65hmcLIWDY', 'https://intel471.com/blog/conti-emotet-ransomware-conti-leaks', 'https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk', 'https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/', 'https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/', 'https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/', 'https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20', 'https://zero.bs/cobaltstrike-beacons-analyzed.html', 'https://www.arashparsa.com/catching-a-malware-with-no-name/', 'https://www.varonis.com/blog/hive-ransomware-analysis', 'https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf', 'https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/', 'https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink', 'https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/', 'https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf', 'https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#', 'https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/', 'https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/', 'https://thedfirreport.com/2022/04/25/quantum-ransomware/', 'https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html', 'https://twitter.com/TheDFIRReport/status/1356729371931860992', 'https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/', 'https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/', 'https://www.bitsight.com/blog/emotet-botnet-rises-again', 'https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack', 'https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf', 'https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services', 'https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html', 'https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/', 'https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/', 'https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf', 'https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf', 'https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/', 'https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf', 'https://www.hhs.gov/sites/default/files/bazarloader.pdf', 'https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/', 'https://twitter.com/redcanary/status/1334224861628039169', 'https://isc.sans.edu/diary/rss/28934', 'https://blog.group-ib.com/apt41-world-tour-2021', 'https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html', 'https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors', 'https://thedfirreport.com/2022/03/07/2021-year-in-review/', 'https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf', 'https://community.riskiq.com/article/c88cf7e6', 'https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/', 'https://thedfirreport.com/2021/05/12/conti-ransomware/', 'https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/', 'https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike', 'https://skyblue.team/posts/scanning-virustotal-firehose/', 'https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/', 'https://www.secureworks.com/research/threat-profiles/tin-woodlawn', 'https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/', 'https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors', 'https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/', 'https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue', 'https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html', 'https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/', 'https://twitter.com/MBThreatIntel/status/1412518446013812737', 'https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/', 'https://web.br.de/interaktiv/ocean-lotus/en/', 'https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/', 'https://twitter.com/Unit42_Intel/status/1461004489234829320', 'https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/', 'https://netresec.com/?b=214d7ff', 'https://www.arashparsa.com/hook-heaps-and-live-free/', 'https://www.qurium.org/alerts/targeted-malware-against-crph/', 'https://www.malware-traffic-analysis.net/2021/09/29/index.html', 'https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes', 'https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/', 'https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware', 'https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/', 'https://isc.sans.edu/diary/28636', 'https://blogs.blackberry.com/en/2021/11/zebra2104', 'https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf', 'https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/', 'https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://www.inde.nz/blog/different-kind-of-zoombomb', 'https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/', 'https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153', 'https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/', 'https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/', 'https://twitter.com/VK_Intel/status/1294320579311435776', 'https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage', 'https://www.cynet.com/understanding-squirrelwaffle/', 'https://blog.cobaltstrike.com/', 'https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/', 'https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html', 'https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation', 'http://www.secureworks.com/research/threat-profiles/gold-winter', 'https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/', 'https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/', 'https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/', 'https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2', 'https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/', 'https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/', 'https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html', 'https://isc.sans.edu/diary/rss/28664', 'https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/', 'https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/', 'https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk', 'https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/', 'https://twitter.com/AltShiftPrtScn/status/1385103712918642688', 'https://www.youtube.com/watch?v=GfbxHy6xnbA', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3', 'https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929', 'https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468', 'https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html', 'https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/', 'https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html', 'https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book', 'https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/', 'https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise', 'https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/', 'https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/', 'https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/', 'https://explore.group-ib.com/htct/hi-tech_crime_2018', 'https://redcanary.com/blog/getsystem-offsec/', 'https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022', 'https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf', 'https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html', 'https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures', 'https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/', 'https://redcanary.com/blog/gootloader', 'https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/', 'https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728', 'https://blog.zsec.uk/cobalt-strike-profiles/', 'https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html', 'https://us-cert.cisa.gov/ncas/alerts/aa21-265a', 'https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor', 'https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html', 'https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a', 'https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html', 'http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems', 'https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/', 'https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/', 'https://www.mandiant.com/resources/apt41-us-state-governments', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e', 'https://paper.seebug.org/1301/', 'https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf', 'https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html', 'https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf', 'https://cyber.wtf/2022/03/23/what-the-packer/', 'https://twitter.com/AltShiftPrtScn/status/1403707430765273095', 'https://www.mandiant.com/resources/defining-cobalt-strike-components', 'https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates', 'https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/', 'https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/', 'https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/', 'https://cert.gov.ua/article/37704', 'https://malwarebookreports.com/cryptone-cobalt-strike/', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a', 'https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a', 'https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/', 'https://cert.gov.ua/article/339662', 'https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot', 'https://www.istrosec.com/blog/apt-sk-cobalt/', 'https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services', 'https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/', 'https://www.youtube.com/watch?v=gfYswA_Ronw', 'https://twitter.com/MsftSecIntel/status/1522690116979855360', 'https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf', 'https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/', 'https://www.ironnet.com/blog/ransomware-graphic-blog', 'https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf', 'https://vanmieghem.io/blueprint-for-evading-edr-in-2022/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang', 'https://www.lac.co.jp/lacwatch/people/20180521_001638.html', 'https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html', 'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear', 'https://isc.sans.edu/diary/rss/28448', 'https://community.riskiq.com/article/0bcefe76', 'https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20', 'https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/', 'https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/', 'https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618', 'https://blog.talosintelligence.com/2021/05/ctir-case-study.html', 'https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/', 'https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon', 'https://experience.mandiant.com/trending-evil-2/p/1', 'https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7', 'https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf', 'https://www.ic3.gov/Media/News/2021/210823.pdf', 'https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/', 'https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/', 'https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/', 'https://thedfirreport.com/2020/10/08/ryuks-return/', 'https://www.youtube.com/watch?v=LA-XE5Jy2kU', 'https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader', 'https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html', 'https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/', 'https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/', 'https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt'], 'synonyms': ['Agentemis', 'BEACON', 'CobaltStrike', 'cobeacon']}\n", "Cobian RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat', 'https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html', 'https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat', 'https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/']}\n", "CobInt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint', 'http://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://asert.arbornetworks.com/double-the-infection-double-the-fun/', 'https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint', 'https://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.group-ib.com/blog/renaissance', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/', 'https://www.netscout.com/blog/asert/double-infection-double-fun'], 'synonyms': ['COOLPANTS']}\n", "Cobra Carbon System {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra', 'https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf', 'https://docs.broadcom.com/doc/waterbug-attack-group', 'https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf', 'https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon', 'https://securelist.com/shedding-skin-turlas-fresh-faces/88069/', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra', 'https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf', 'https://www.circl.lu/pub/tr-25/', 'https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/', 'https://securelist.com/analysis/publications/65545/the-epic-turla-operation/', 'https://www.youtube.com/watch?v=FttiysUZmDw', 'https://github.com/hfiref0x/TDL', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity'], 'synonyms': ['Carbon']}\n", "CockBlocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker', 'https://twitter.com/JaromirHorejsi/status/817311664391524352']}\n", "CodeKey {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey', 'https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf']}\n", "CodeCore {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.code_core', 'https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a']}\n", "Cohhoc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc', 'https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf']}\n", "Coinminer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer', 'https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/', 'https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/', 'https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/', 'https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html', 'https://www.triskelelabs.com/investigating-monero-coin-miner', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://secrary.com/ReversingMalware/CoinMiner/']}\n", "coldbrew {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coldbrew', 'https://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild']}\n", "ColdLock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coldlock', 'https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html', 'https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5']}\n", "Cold$eal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal', 'https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/', 'https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html', 'https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html', 'https://www.youtube.com/watch?v=242Tn0IL2jE', 'http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/'], 'synonyms': ['ColdSeal']}\n", "ColdStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coldstealer', 'https://asec.ahnlab.com/ko/31703/', 'https://asec.ahnlab.com/en/32090/']}\n", "Colibri Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri', 'https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/', 'https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/', 'https://fr3d.hk/blog/colibri-loader-back-to-basics', 'https://github.com/Casperinous/colibri_loader']}\n", "CollectorGoomba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba', 'https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/'], 'synonyms': ['Collector Stealer']}\n", "Colony {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.colony', 'https://pastebin.com/GtjBXDmz', 'https://twitter.com/anyrun_app/status/976385355384590337', 'https://secrary.com/ReversingMalware/Colony_Bandios/'], 'synonyms': ['Bandios', 'GrayBird']}\n", "Combojack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack', 'https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/']}\n", "Combos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.combos', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "ComeBacker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker', 'https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/', 'https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/', 'https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/', 'https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/', 'https://www.anquanke.com/post/id/230161']}\n", "Comfoo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.comfoo', 'https://www.secureworks.com/research/secrets-of-the-comfoo-masters']}\n", "ComLook {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.comlook', 'https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook', 'https://twitter.com/ClearskySec/status/1484211242474561540']}\n", "ComodoSec {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec', 'https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf']}\n", "COMpfun {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun', 'https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence', 'https://securelist.com/compfun-successor-reductor/93633/', 'https://securelist.com/it-threat-evolution-q2-2020/98230', 'https://securelist.com/compfun-http-status-based-trojan/96874/', 'https://securelist.com/apt-trends-report-q2-2019/91897/'], 'synonyms': ['Reductor RAT']}\n", "Computrace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace', 'https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html', 'https://asert.arbornetworks.com/lojack-becomes-a-double-agent/', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/'], 'synonyms': ['lojack']}\n", "ComradeCircle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle', 'https://twitter.com/struppigel/status/816926371867926528']}\n", "concealment_troy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy', 'https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf', 'http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html']}\n", "Conficker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker', 'http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html', 'https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md', 'https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker', 'https://www.minitool.com/backup-tips/conficker-worm.html', 'https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'http://contagiodump.blogspot.com/2009/05/win32conficker.html', 'https://github.com/tillmannw/cnfckr', 'https://redcanary.com/blog/intelligence-insights-january-2022/'], 'synonyms': ['Kido', 'downadup', 'traffic converter']}\n", "Confucius {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius', 'https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat', 'https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html', 'https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/', 'https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/']}\n", "Conti (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.conti', 'https://github.com/TheParmak/conti-leaks-englished', 'https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/', 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti', 'https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/', 'https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/', 'https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://thedfirreport.com/2021/05/12/conti-ransomware/', 'https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/', 'https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks', 'https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months', 'https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware', 'https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks', 'https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru', 'https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/', 'https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/', 'https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/', 'https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/', 'https://www.mbsd.jp/research/20210413/conti-ransomware/', 'https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one', 'https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/', 'https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728', 'https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider', 'https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html', 'https://securelist.com/luna-black-basta-ransomware/106950', 'https://twitter.com/TheDFIRReport/status/1498642512935800833', 'https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire', 'https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html', 'https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf', 'https://www.prevailion.com/what-wicked-webs-we-unweave/', 'https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74', 'https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd', 'https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/', 'http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/', 'https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/', 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/', 'https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/', 'https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again', 'https://share.vx-underground.org/Conti/', 'https://www.crowdstrike.com/blog/wizard-spider-adversary-update/', 'https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html', 'https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/', 'https://www.youtube.com/watch?v=hmaWy9QIC7c', 'https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/', 'https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/', 'https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/', 'https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent', 'https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/', 'https://intel471.com/blog/conti-leaks-cybercrime-fire-team', 'https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/', 'https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks', 'https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked', 'https://intel471.com/blog/shipping-companies-ransomware-credentials', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware', 'https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2', 'https://www.youtube.com/watch?v=uORuVVQzZ0A', 'https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles', 'https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/', 'https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/', 'https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html', 'https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed', 'https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/', 'https://twitter.com/AltShiftPrtScn/status/1423188974298861571', 'https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia', 'https://twitter.com/AltShiftPrtScn/status/1350755169965924352', 'https://www.youtube.com/watch?v=cYx7sQRbjGA', 'https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/', 'https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems', 'https://github.com/whichbuffer/Conti-Ransomware-IOC', 'https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://twitter.com/AltShiftPrtScn/status/1417849181012647938', 'https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/', 'https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/', 'https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider', 'https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/', 'https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape', 'https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://redcanary.com/blog/intelligence-insights-november-2021/', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware', 'https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/', 'https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf', 'https://thehackernews.com/2022/05/malware-analysis-trickbot.html', 'https://www.ic3.gov/Media/News/2021/210521.pdf', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf', 'https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf', 'https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir', 'https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf', 'https://us-cert.cisa.gov/ncas/alerts/aa21-265a', 'https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti', 'https://intel471.com/blog/conti-emotet-ransomware-conti-leaks', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf', 'https://github.com/cdong1012/ContiUnpacker', 'https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8', 'https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf', 'https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/', 'https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf', 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098', 'https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked', 'https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/', 'https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations', 'https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html', 'https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/', 'https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement', 'https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel', 'https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf', 'https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/', 'https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf', 'https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf', 'https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/', 'https://www.ironnet.com/blog/ransomware-graphic-blog', 'https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve', 'https://arcticwolf.com/resources/blog/karakurt-web', 'https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html', 'https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf', 'https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/', 'https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/', 'https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/', 'https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide', 'https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/', 'https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti', 'https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups', 'https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/', 'https://thedfirreport.com/2021/12/13/diavol-ransomware/', 'https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/', 'https://unit42.paloaltonetworks.com/conti-ransomware-gang/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.threatstop.com/blog/conti-ransomware-source-code-leaked', 'https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/', 'https://www.connectwise.com/resources/conti-profile', 'https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures', 'https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/', 'https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love']}\n", "Contopee {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee', 'https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks', 'https://content.fireeye.com/apt/rpt-apt38', 'https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks'], 'synonyms': ['WHITEOUT']}\n", "CookieBag {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "CopperStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.copper_stealer', 'https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft', 'https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html']}\n", "Corebot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot', 'https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/', 'https://www.crowdstrike.com/blog/ecrime-ecosystem/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf']}\n", "CoreDN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn', 'https://blog.alyac.co.kr/2105', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content', 'https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription', 'https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/']}\n", "Coreshell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell', 'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/', 'http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'http://malware.prevenity.com/2014/08/malware-info.html', 'http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html', 'https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf'], 'synonyms': ['SOURFACE']}\n", "CoronaVirus Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware', 'https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html'], 'synonyms': ['CoronaVirus Cover-Ransomware']}\n", "CosmicDuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cosmicduke', 'https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/', 'https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf']}\n", "Cotx RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx', 'https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/', 'https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf', 'https://vblocalhost.com/uploads/VB2020-20.pdf', 'https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf', 'https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf', 'https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf', 'https://www.youtube.com/watch?v=1WfPlgtfWnQ', 'https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html']}\n", "Covicli {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.covicli', 'https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf'], 'synonyms': ['Covically']}\n", "Covid22 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.covid22', 'https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr']}\n", "CoViper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper', 'https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html', 'https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/']}\n", "crackshot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crackshot', 'https://content.fireeye.com/apt-41/rpt-apt41/']}\n", "CradleCore {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore']}\n", "CRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crat', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://suspected.tistory.com/269', 'https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg', 'https://www.secrss.com/articles/18635', 'https://blog.talosintelligence.com/2020/11/crat-and-plugins.html']}\n", "CREAMSICLE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf']}\n", "CredoMap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.credomap', 'https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://cert.gov.ua/article/341128']}\n", "Credraptor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor', 'http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/']}\n", "Crenufs {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs']}\n", "Crimson RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson', 'https://twitter.com/katechondic/status/1502206599166939137', 'https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html', 'https://s.tencent.com/research/report/669.html', 'https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1', 'https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/', 'https://www.secrss.com/articles/24995', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg', 'https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/', 'https://securelist.com/transparent-tribe-part-1/98127/', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'https://blog.yoroi.company/research/transparent-tribe-four-years-later', 'https://www.secureworks.com/research/threat-profiles/copper-fieldstone', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf', 'https://twitter.com/teamcymru_S2/status/1501955802025836546', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf', 'https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east', 'https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/', 'https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/', 'https://twitter.com/teamcymru/status/1351228309632385027', 'https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html', 'https://www.4hou.com/posts/vLzM', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF', 'https://securelist.com/transparent-tribe-part-2/98233/', 'https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/', 'https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ', 'https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf', 'https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/'], 'synonyms': ['SEEDOOR', 'Scarimson']}\n", "CrimsonIAS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crimsonias', 'https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user/']}\n", "Cring {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cring', 'https://twitter.com/swisscom_csirt/status/1354052879158571008', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf', 'https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728', 'https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "CROSSWALK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk', 'https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/', 'https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.youtube.com/watch?v=8x-pGlWpIYI', 'https://thehackernews.com/2021/01/researchers-disclose-undocumented.html', 'https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/', 'https://www.youtube.com/watch?v=FttiysUZmDw', 'https://twitter.com/MrDanPerez/status/1159459082534825986', 'https://content.fireeye.com/apt-41/rpt-apt41/'], 'synonyms': ['Motnug', 'ProxIP', 'TOMMYGUN']}\n", "Crutch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch', 'https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/', 'https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf']}\n", "Cryakl {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl', 'https://twitter.com/demonslay335/status/971164798376468481', 'https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/', 'https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process', 'https://twitter.com/bartblaze/status/1305197264332369920', 'https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html', 'https://twitter.com/albertzsigovits/status/1217866089964679174', 'https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/', 'https://hackmag.com/security/ransomware-russian-style/', 'https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/', 'https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/', 'https://www.telekom.com/en/blog/group/article/lockdata-auction-631300', 'https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx', 'https://securelist.com/cis-ransomware/104452/'], 'synonyms': ['CryLock']}\n", "CryLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker']}\n", "CrypMic {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic', 'https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/', 'https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/']}\n", "Crypt0l0cker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker', 'http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html']}\n", "CryptBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot', 'https://asec.ahnlab.com/en/26052/', 'https://asec.ahnlab.com/en/31683/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.mandiant.com/resources/russian-targeting-gov-business', 'https://experience.mandiant.com/trending-evil-2/p/1', 'https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/', 'https://asec.ahnlab.com/en/24423/', 'https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf', 'https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/', 'https://asec.ahnlab.com/en/35981/', 'https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger', 'https://fr3d.hk/blog/cryptbot-too-good-to-be-true']}\n", "CrypticConvo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo', 'https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/']}\n", "CryptoDarkRubix {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptodarkrubix', 'https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html'], 'synonyms': ['Ranet']}\n", "CryptoLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker', 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-evergreen', 'https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware', 'https://sites.temple.edu/care/ci-rw-attacks/', 'http://www.secureworks.com/research/threat-profiles/gold-evergreen', 'https://www.secureworks.com/research/cryptolocker-ransomware', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf']}\n", "CryptoLuck {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck', 'http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/']}\n", "CryptoMix {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix', 'https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/', 'https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/', 'https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/'], 'synonyms': ['CryptFile2']}\n", "CryptoPatronum {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptopatronum', 'https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html']}\n", "Cryptorium {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium', 'https://twitter.com/struppigel/status/810770490491043840']}\n", "CryptoShield {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield', 'http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/', 'https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/']}\n", "CryptoShuffler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler', 'https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/']}\n", "Cryptowall {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f']}\n", "CryptoWire {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire', 'https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/']}\n", "CryptoFortress {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress', 'https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/', 'http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html']}\n", "CryptoRansomeware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware', 'https://twitter.com/JaromirHorejsi/status/818369717371027456']}\n", "CryptXXXX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx', 'https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/', 'https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/']}\n", "CsExt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.csext', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "CTB Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ctb_locker', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://samvartaka.github.io/malware/2015/11/20/ctb-locker']}\n", "Cuba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba', 'https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/', 'https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf', 'https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html', 'https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/', 'https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis', 'https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/', 'https://www.mandiant.com/resources/unc2596-cuba-ransomware', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis', 'https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more', 'https://www.ic3.gov/Media/News/2021/211203-2.pdf', 'https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware', 'https://lab52.io/blog/cuba-ransomware-analysis/', 'https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/', 'https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html', 'https://blog.group-ib.com/hancitor-cuba-ransomware'], 'synonyms': ['COLDDRAW']}\n", "Cuegoe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe', 'https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal', 'http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html', 'https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html']}\n", "Cueisfry {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry', 'https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761']}\n", "Curator {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.curator', 'https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf'], 'synonyms': ['Ever101']}\n", "Cursed Murderer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cursed_murderer', 'https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html']}\n", "Cutlet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html', 'https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf', 'https://explore.group-ib.com/htct/hi-tech_crime_2018', 'http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html']}\n", "Cutwail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt', 'https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/', 'https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/', 'http://www.secureworks.com/research/threat-profiles/gold-essex', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://darknetdiaries.com/episode/110/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-essex', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/']}\n", "CyberGate {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate', 'https://citizenlab.ca/2015/12/packrat-report/', 'https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process', 'https://blog.reversinglabs.com/blog/rats-in-the-library', 'https://www.subexsecure.com/pdf/malware-reports/2021-05/cybergate-threat-report.pdf', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns'], 'synonyms': ['Rebhip']}\n", "CyberSplitter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter']}\n", "CycBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot', 'https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/']}\n", "Cyrat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat', 'https://www.gdatasoftware.com/blog/cyrat-ransomware', 'https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html']}\n", "cysxl {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.cysxl', 'https://www.enigmasoftware.com/bkdrcysxla-removal/']}\n", "Dacls (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls', 'https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/', 'https://blog.netlab.360.com/dacls-the-dual-platform-rat/', 'https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/', 'https://www.sygnia.co/mata-framework', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://malwareandstuff.com/peb-where-magic-is-stored/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf'], 'synonyms': ['MATA']}\n", "DADJOKE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke', 'https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/', 'https://twitter.com/ClearskySec/status/1110941178231484417', 'https://www.youtube.com/watch?v=vx9IB88wXSE', 'https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts', 'https://twitter.com/a_tweeter_user/status/1154764787823316993', 'https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9']}\n", "DADSTACHE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache', 'https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a', 'https://twitter.com/killamjr/status/1204584085395517440', 'https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97', 'https://twitter.com/cyb3rops/status/1199978327697694720', 'https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html', 'https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign']}\n", "Dairy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "DanaBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://research.checkpoint.com/danabot-demands-a-ransom-payment/', 'https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense', 'https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor', 'https://security-soup.net/decoding-a-danabot-downloader/', 'https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf', 'https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/', 'https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot', 'https://blog.lexfo.fr/danabot-malware.html', 'https://www.mandiant.com/resources/supply-chain-node-js', 'https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns', 'https://twitter.com/f0wlsec/status/1459892481760411649', 'https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service', 'https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html', 'https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/', 'https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/', 'https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://asert.arbornetworks.com/danabots-travels-a-global-perspective/', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://asec.ahnlab.com/en/30445/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/', 'https://malwareandstuff.com/deobfuscating-danabots-api-hashing/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/']}\n", "danbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot', 'https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/', 'https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf', 'https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf', 'https://www.secureworks.com/research/threat-profiles/cobalt-lyceum', 'https://www.youtube.com/watch?v=FttiysUZmDw', 'https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf', 'https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f']}\n", "DarkComet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet', 'https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services', 'https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/', 'https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://content.fireeye.com/apt/rpt-apt38', 'https://www.secureworks.com/research/threat-profiles/copper-fieldstone', 'https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf', 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html', 'https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/', 'https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html', 'http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html', 'https://www.secureworks.com/research/threat-profiles/aluminum-saratoga', 'https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html', 'https://www.tgsoft.it/files/report/download.asp?id=7481257469', 'https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['Breut', 'Fynloski', 'klovbot']}\n", "DarkEye {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkeye', 'https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed']}\n", "DarkIRC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkirc', 'https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability']}\n", "DarkLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkloader', 'https://twitter.com/3xp0rtblog/status/1459081435361517585']}\n", "DarkMe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkme', 'http://blog.nsfocus.net/darkcasino-apt-evilnum/']}\n", "DarkMegi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi', 'http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html', 'http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html']}\n", "Darkmoon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon', 'http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html', 'https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml', 'http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html'], 'synonyms': ['Chymine']}\n", "DarkPulsar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar', 'https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/']}\n", "DarkRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat', 'https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md', 'https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel']}\n", "DarkShell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell', 'https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/']}\n", "DarkSide (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside', 'https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/', 'https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html', 'https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/', 'https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/', 'https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/', 'https://www.secjuice.com/blue-team-detection-darkside-ransomware/', 'https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/', 'https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/', 'https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/', 'https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/', 'https://www.ic3.gov/Media/News/2021/211101.pdf', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/', 'https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin', 'http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/', 'https://www.secureworks.com/research/threat-profiles/gold-waterfall', 'https://www.youtube.com/watch?v=NIiEcOryLpI', 'https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html', 'https://brandefense.io/darkside-ransomware-analysis-report/', 'https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'https://www.varonis.com/blog/darkside-ransomware/', 'https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack', 'https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/', 'https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/', 'https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/', 'https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions', 'https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/', 'https://threatpost.com/guess-fashion-data-loss-ransomware/167754/', 'https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf', 'https://zawadidone.nl/darkside-ransomware-analysis/', 'https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/', 'https://therecord.media/popular-hacking-forum-bans-ransomware-ads/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/', 'https://www.acronis.com/en-us/articles/darkside-ransomware/', 'https://unit42.paloaltonetworks.com/darkside-ransomware/', 'https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/', 'https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/', 'https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/', 'https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/', 'https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/', 'https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections', 'https://twitter.com/GelosSnake/status/1451465959894667275', 'https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://community.riskiq.com/article/fdf74f23', 'https://twitter.com/sysopfb/status/1422280887274639375', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware', 'https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom', 'https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/', 'https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/', 'https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/', 'https://blog.group-ib.com/blackmatter2', 'https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/', 'https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html', 'https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636', 'https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/', 'https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://www.glimps.fr/lockbit3-0/', 'https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html', 'https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/', 'https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html', 'https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/', 'https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html', 'https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/', 'https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf', 'https://twitter.com/JAMESWT_MHT/status/1388301138437578757', 'https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968', 'https://asec.ahnlab.com/en/34549/', 'https://www.mandiant.com/resources/burrowing-your-way-into-vpns', 'https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside', 'https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/', 'https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/', 'https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/', 'https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims', 'https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6', 'https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf', 'https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/', 'https://twitter.com/ValthekOn/status/1422385890467491841?s=20', 'https://blog.group-ib.com/blackmatter#', 'https://us-cert.cisa.gov/ncas/alerts/aa21-131a', 'https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted', 'https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b', 'https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/', 'https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service', 'https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group', 'https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://github.com/sisoma2/malware_analysis/tree/master/blackmatter', 'https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/', 'https://www.databreaches.net/a-chat-with-darkside/', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://www.youtube.com/watch?v=qxPXxWMI2i4'], 'synonyms': ['BlackMatter']}\n", "Darksky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky', 'https://blog.radware.com/security/2018/02/darksky-botnet/', 'http://telegra.ph/Analiz-botneta-DarkSky-12-30']}\n", "DarkStRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat', 'https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/']}\n", "DarkTequila {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila', 'https://securelist.com/dark-tequila-anejo/87528/']}\n", "DarkTortilla {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla', 'https://www.secureworks.com/research/darktortilla-malware-analysis']}\n", "Darktrack RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat', 'https://www.facebook.com/darktrackrat/', 'https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html', 'https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf', 'https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1', 'http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml', 'https://www.tgsoft.it/files/report/download.asp?id=7481257469']}\n", "DarkVNC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc', 'https://reaqta.com/2017/11/short-journey-darkvnc/', 'https://isc.sans.edu/diary/rss/28934', 'https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884']}\n", "Daserf {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf', 'https://www.secureworks.com/research/threat-profiles/bronze-butler', 'http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/', 'https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/', 'https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses'], 'synonyms': ['Muirim', 'Nioupale']}\n", "DataExfiltrator {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator', 'https://blog.reversinglabs.com/blog/data-exfiltrator'], 'synonyms': ['FileSender']}\n", "Datper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.datper', 'http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/', 'http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html', 'https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf', 'https://www.macnica.net/mpressioncss/feature_05.html/', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses']}\n", "Daxin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.daxin', 'https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/', 'https://www.nzz.ch/technologie/china-soll-mit-praezedenzloser-malware-regierungen-ausspioniert-haben-ld.1672292', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage', 'https://twitter.com/M_haggis/status/1498399791276912640', 'https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6', 'https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis']}\n", "DBatLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader', 'https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/', 'https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html', 'https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/', 'https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands', 'https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat'], 'synonyms': ['ModiLoader', 'NatsoLoader']}\n", "DCRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://community.riskiq.com/article/50c77491', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf', 'https://www.youtube.com/watch?v=ElqmQDySy48', 'https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains', 'https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://cert.gov.ua/article/160530', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html', 'https://cert.gov.ua/article/405538', 'https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html', 'https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and', 'https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html', 'https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html'], 'synonyms': ['DarkCrystal RAT']}\n", "DCSrv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dcsrv', 'https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/'], 'synonyms': ['DCrSrv']}\n", "DDKeylogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger', 'https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators']}\n", "DDKONG {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong', 'https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/', 'https://www.secureworks.com/research/threat-profiles/bronze-overbrook', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/', 'https://unit42.paloaltonetworks.com/atoms/rancortaurus/']}\n", "DEADWOOD {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deadwood', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/'], 'synonyms': ['Agrius', 'DETBOSIT', 'SQLShred']}\n", "DealPly {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dealply', 'https://securelist.com/threat-in-your-browser-extensions/107181', 'https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/']}\n", "dearcry {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dearcry', 'https://www.youtube.com/watch?v=Hhx9Q2i7zGo', 'https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s', 'https://www.youtube.com/watch?v=qmCjtigVVR0', 'https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities', 'https://www.youtube.com/watch?v=MRTdGUy1lfw', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b', 'https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf', 'https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/'], 'synonyms': ['DoejoCrypt']}\n", "DeathRansom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom', 'https://asec.ahnlab.com/1269', 'https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md', 'https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html', 'https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html', 'https://twitter.com/Amigo_A_/status/1196898012645220354', 'https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html', 'https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html'], 'synonyms': ['deathransom', 'wacatac']}\n", "DECAF {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf', 'https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance']}\n", "Decebal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal', 'https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf', 'https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html']}\n", "DeepRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deep_rat', 'https://twitter.com/benkow_/status/1415797114794397701']}\n", "Defray {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.defray', 'https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html', 'https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals', 'https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html', 'https://www.secureworks.com/research/threat-profiles/gold-dupont', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/', 'https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3', 'https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/'], 'synonyms': ['Glushkov']}\n", "Deimos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos', 'https://www.elastic.co/blog/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant']}\n", "Delta(Alfa,Bravo, ...) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas']}\n", "Dented {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dented']}\n", "Deprimon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon', 'https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/']}\n", "DeputyDog {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog', 'https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html']}\n", "DeriaLock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock', 'https://twitter.com/struppigel/status/812601286088597505']}\n", "DeroHE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe', 'https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/']}\n", "Derusbi (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf', 'https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-firestone', 'https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf', 'https://attack.mitre.org/groups/G0001/', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk', 'https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/', 'https://attack.mitre.org/groups/G0096', 'https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family', 'http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf', 'https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/', 'https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf'], 'synonyms': ['PHOTO']}\n", "DesertBlade {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.desertblade', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/']}\n", "Devil's Rat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat']}\n", "Dexbia {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia', 'https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf'], 'synonyms': ['CONIME']}\n", "Dexphot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dexphot', 'https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/']}\n", "Dexter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter', 'https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/', 'http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html', 'https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html', 'https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html'], 'synonyms': ['LusyPOS']}\n", "Dharma {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma', 'https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://twitter.com/JakubKroustek/status/1087808550309675009', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground', 'https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/', 'https://www.group-ib.com/media/iran-cybercriminals/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/', 'https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack', 'https://www.acronis.com/en-us/articles/Dharma-ransomware/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware', 'https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/', 'https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware', 'https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/', 'https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/', 'https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/', 'https://securelist.com/cis-ransomware/104452/'], 'synonyms': ['Arena', 'Crysis', 'Wadhrama', 'ncov']}\n", "DiamondFox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox', 'https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF', 'https://www.scmagazine.com/inside-diamondfox/article/578478/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/', 'https://blog.cylance.com/a-study-in-bots-diamondfox', 'https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced', 'https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/', 'https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/'], 'synonyms': ['Crystal', 'Gorynch', 'Gorynych']}\n", "Diavol {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol', 'https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/', 'https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider', 'https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/', 'https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648', 'https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/', 'https://thedfirreport.com/2021/12/13/diavol-ransomware/', 'https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/', 'https://arcticwolf.com/resources/blog/karakurt-web', 'https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/', 'https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday', 'https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/', 'https://www.ic3.gov/Media/News/2022/220120.pdf', 'https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/']}\n", "DILLJUICE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html']}\n", "DilongTrash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dilongtrash', 'https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/']}\n", "Dimnie {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie', 'http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/']}\n", "DinoTrain {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dinotrain', 'https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/']}\n", "DirCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt', 'https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/']}\n", "DirtyMoe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dirtymoe', 'https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/', 'https://decoded.avast.io/martinchlumecky/dirtymoe-1/', 'https://decoded.avast.io/martinchlumecky/dirtymoe-4/', 'https://decoded.avast.io/martinchlumecky/dirtymoe-5/', 'https://decoded.avast.io/martinchlumecky/dirtymoe-3/', 'https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html']}\n", "DispCashBR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr', 'https://twitter.com/r3c0nst/status/1232944566208286720', 'https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/']}\n", "DispenserXFS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs', 'https://twitter.com/cyb3rops/status/1101138784933085191']}\n", "DistTrack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack', 'https://securelist.com/shamoon-the-wiper-copycats-at-work/', 'https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf', 'https://malwareindepth.com/shamoon-2012/', 'https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis', 'https://content.fireeye.com/m-trends/rpt-m-trends-2017', 'https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail', 'https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/', 'http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412', 'http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/', 'https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/', 'https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/', 'https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks', 'https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf', 'http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware'], 'synonyms': ['Shamoon']}\n", "Divergent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent', 'https://blog.talosintelligence.com/2019/09/divergent-analysis.html', 'https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf', 'https://www.cert-pa.it/notizie/devergent-malware-fileless/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/', 'https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/'], 'synonyms': ['Novter']}\n", "Diztakun {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.diztakun', 'https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process']}\n", "DMA Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker', 'https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/', 'https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/', 'https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/']}\n", "DMSniff {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff', 'https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/']}\n", "DneSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy', 'https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html']}\n", "DNSChanger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger', 'https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/']}\n", "DNSMessenger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/', 'https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://blog.talosintelligence.com/2017/03/dnsmessenger.html', 'http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/'], 'synonyms': ['TEXTMATE']}\n", "DNSpionage {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage', 'https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/', 'https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html', 'https://www.secureworks.com/research/threat-profiles/cobalt-edgewater', 'https://nsfocusglobal.com/apt34-event-analysis-report/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/', 'https://marcoramilli.com/2019/04/23/apt34-webmask-project/', 'https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html', 'https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/', 'https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html', 'https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.us-cert.gov/ncas/alerts/AA19-024A'], 'synonyms': ['Agent Drable', 'AgentDrable', 'Webmask']}\n", "DogHousePower {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower', 'http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf'], 'synonyms': ['Shelma']}\n", "donut_injector {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector', 'https://thewover.github.io/Introducing-Donut/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us'], 'synonyms': ['Donut']}\n", "DoorMe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/']}\n", "DoppelDridex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/', 'https://redcanary.com/blog/grief-ransomware/', 'https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays', 'https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true', 'https://medium.com/s2wlab/operation-synctrek-e5013df8d167', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware', 'https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/', 'https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/', 'https://cyber-anubis.github.io/malware%20analysis/dridex/', 'https://blogs.blackberry.com/en/2021/11/zebra2104', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/', 'https://twitter.com/BrettCallow/status/1453557686830727177?s=20']}\n", "DoppelPaymer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer', 'https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1', 'https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/', 'https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/', 'https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/', 'https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/', 'https://www.ic3.gov/Media/News/2020/201215-1.pdf', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://twitter.com/vikas891/status/1385306823662587905', 'https://redcanary.com/blog/grief-ransomware/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/', 'https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf', 'https://medium.com/s2wlab/operation-synctrek-e5013df8d167', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/', 'http://www.secureworks.com/research/threat-profiles/gold-heron', 'https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/', 'https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/', 'https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot', 'https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/', 'https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://twitter.com/BrettCallow/status/1453557686830727177?s=20', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-heron', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://twitter.com/AltShiftPrtScn/status/1385103712918642688', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding', 'https://techcrunch.com/2020/03/01/visser-breach/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/', 'https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/', 'https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html', 'https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer'], 'synonyms': ['Pay OR Grief']}\n", "NgrBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot', 'https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/', 'https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/', 'http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html', 'https://research.checkpoint.com/dorkbot-an-investigation/']}\n", "Dorshel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks', 'https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group']}\n", "Dot Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dot_ransomware', 'https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html'], 'synonyms': ['MZP Ransomware']}\n", "DOUBLEBACK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback', 'https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html']}\n", "DoubleFantasy (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy', 'https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/', 'https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/', 'https://twitter.com/Int2e_/status/1294565186939092994'], 'synonyms': ['VALIDATOR']}\n", "DoublePulsar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor', 'https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/', 'https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit', 'https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/']}\n", "DoubleZero {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://securelist.com/new-ransomware-trends-in-2022/106457/', 'https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/', 'https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html', 'https://cert.gov.ua/article/38088', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html'], 'synonyms': ['FiberLake']}\n", "Downdelph {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph', 'https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/', 'https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf'], 'synonyms': ['DELPHACY']}\n", "Downeks {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks', 'https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/', 'http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412']}\n", "DownPaper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper', 'https://www.infinitumit.com.tr/apt-35/', 'http://www.clearskysec.com/charmingkitten/', 'https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf']}\n", "DramNudge {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge']}\n", "DRATzarus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus', 'http://blog.nsfocus.net/stumbzarus-apt-lazarus/', 'https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf']}\n", "DreamBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot', 'https://community.riskiq.com/article/30f22a00', 'https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality', 'https://www.youtube.com/watch?v=EyDiIAt__dI', 'https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/', 'https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451', 'https://lokalhost.pl/gozi_tree.txt']}\n", "Dridex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex', 'https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://adalogics.com/blog/the-state-of-advanced-code-injections', 'https://blog.lexfo.fr/dridex-malware.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks', 'https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp', 'https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/', 'https://unit42.paloaltonetworks.com/travel-themed-phishing/', 'https://viql.github.io/dridex/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/', 'http://www.secureworks.com/research/threat-profiles/gold-drake', 'https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/', 'https://threatresearch.ext.hp.com/detecting-ta551-domains/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-heron', 'https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/', 'https://twitter.com/Cryptolaemus1/status/1407135648528711680', 'https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization', 'https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/', 'https://www.secureworks.com/research/threat-profiles/gold-drake', 'https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/', 'https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/', 'https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/', 'https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf', 'https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/', 'https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/', 'https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps', 'https://www.atomicmatryoshka.com/post/malware-headliners-dridex', 'https://community.riskiq.com/article/2cd1c003', 'https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77', 'https://muha2xmad.github.io/unpacking/dridex/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://home.treasury.gov/news/press-releases/sm845', 'https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/', 'https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/', 'https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf', 'https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/', 'https://medium.com/s2wlab/operation-synctrek-e5013df8d167', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/', 'https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/', 'https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office', 'https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex', 'https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/', 'https://en.wikipedia.org/wiki/Maksim_Yakubets', 'https://twitter.com/felixw3000/status/1382614469713530883?s=20', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain', 'https://www.youtube.com/watch?v=1VB15_HgUkg', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-heron', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://malwarebookreports.com/cryptone-cobalt-strike/', 'https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state', 'https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf', 'https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/', 'https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much', 'https://artik.blue/malware3', 'https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/', 'https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process', 'https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf', 'https://securityintelligence.com/dridexs-cold-war-enter-atombombing/', 'https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf', 'https://twitter.com/TheDFIRReport/status/1356729371931860992', 'https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/', 'https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://intel471.com/blog/privateloader-malware', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf', 'https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf', 'https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/', 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group', 'https://community.riskiq.com/article/e4fb7245', 'https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/', 'https://cyber-anubis.github.io/malware%20analysis/dridex/', 'https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/']}\n", "DRIFTPIN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-niagara', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html', 'https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/'], 'synonyms': ['Spy.Agent.ORM', 'Toshliph']}\n", "Dripion {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion', 'https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan'], 'synonyms': ['Masson']}\n", "DriveOcean {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.driveocean', 'https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html'], 'synonyms': ['Google Drive RAT']}\n", "DropBook {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook', 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf', 'https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign']}\n", "DROPSHOT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot', 'https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/', 'https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/', 'https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html']}\n", "Dtrack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack', 'https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/', 'https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/', 'https://blog.macnica.net/blog/2020/11/dtrack.html', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://securelist.com/my-name-is-dtrack/93338/', 'https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/'], 'synonyms': ['TroyRAT']}\n", "DualToy (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy', 'https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/']}\n", "DarkHotel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel', 'https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/', 'https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN', 'http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html', 'https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/']}\n", "DUBrute {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute', 'https://github.com/ch0sys/DUBrute']}\n", "DUCKTAIL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail', 'https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/', 'https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf']}\n", "Dumador {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador']}\n", "DuQu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf', 'https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/', 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf', 'https://docs.broadcom.com/doc/w32-duqu-11-en']}\n", "DUSTMAN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman', 'https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html', 'https://twitter.com/Irfan_Asrar/status/1213544175355908096', 'https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report']}\n", "Duuzer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.secureworks.com/research/threat-profiles/nickel-academy', 'https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group'], 'synonyms': ['Escad']}\n", "DYEPACK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack', 'https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch', 'https://securelist.com/blog/sas/77908/lazarus-under-the-hood/', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://github.com/649/APT38-DYEPACK', 'https://content.fireeye.com/apt/rpt-apt38'], 'synonyms': ['swift']}\n", "DynamicStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dynamicstealer', 'https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/']}\n", "Dyre {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre', 'https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group', 'http://www.secureworks.com/research/threat-profiles/gold-blackburn', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/', 'https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/', 'https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates', 'https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-blackburn', 'https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://www.secureworks.com/research/dyre-banking-trojan'], 'synonyms': ['Dyreza']}\n", "EagleMonitorRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eagle_monitor_rat', 'https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/']}\n", "EASYNIGHT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight', 'https://content.fireeye.com/api/pdfproxy?id=86840', 'https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/']}\n", "EDA2 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom', 'https://twitter.com/JaromirHorejsi/status/815861135882780673', 'https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/']}\n", "Egregor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor', 'https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf', 'https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf', 'https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf', 'https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/', 'https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware', 'https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/', 'https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html', 'https://securelist.com/targeted-ransomware-encrypting-data/99255/', 'https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/', 'https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html', 'https://www.intrinsec.com/egregor-prolock/', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf', 'https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis', 'https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/', 'https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html', 'https://www.group-ib.com/blog/egregor', 'https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor', 'https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/', 'https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia', 'https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html', 'https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/', 'https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/', 'https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/', 'https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide', 'https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/', 'https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox', 'https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/', 'https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/', 'https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html', 'https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://twitter.com/redcanary/status/1334224861628039169', 'https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/', 'https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html', 'https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/', 'https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/', 'https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware', 'https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/', 'https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer', 'https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/', 'https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel']}\n", "EHDevel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel', 'https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/']}\n", "ELECTRICFISH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish', 'https://www.us-cert.gov/ncas/analysis-reports/AR19-129A', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf']}\n", "ElectricPowder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder', 'https://www.clearskysec.com/iec/']}\n", "Elirks {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks', 'https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/']}\n", "Elise {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.elise', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries', 'https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-elgin', 'https://www.joesecurity.org/blog/8409877569366580427', 'https://securelist.com/blog/research/70726/the-spring-dragon-apt/', 'https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/', 'https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf', 'https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html'], 'synonyms': ['EVILNEST']}\n", "El Machete APT Backdoor Dropper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.elmachete_dropper_2022', 'https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/']}\n", "ELMER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer', 'https://attack.mitre.org/software/S0064', 'https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/', 'https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html', 'https://www.symantec.com/security-center/writeup/2015-122210-5724-99', 'https://attack.mitre.org/groups/G0023'], 'synonyms': ['Elmost']}\n", "Emdivi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi', 'http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/', 'http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/', 'https://securelist.com/new-activity-of-the-blue-termite-apt/71876/', 'http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html', 'https://www.macnica.net/file/security_report_20160613.pdf', 'https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/']}\n", "Emissary {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.emissary', 'https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/']}\n", "Emotet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet', 'https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques', 'https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/', 'https://blog.lumen.com/emotet-redux/', 'https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/', 'https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware', 'https://www.youtube.com/watch?v=_mGMJFNJWSk', 'https://feodotracker.abuse.ch/?filter=version_e', 'https://adalogics.com/blog/the-state-of-advanced-code-injections', 'https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis', 'https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html', 'https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html', 'https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/', 'https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns', 'https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/', 'https://www.secureworks.com/research/threat-profiles/gold-crestwood', 'https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/', 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2', 'https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/', 'https://www.youtube.com/watch?v=EyDiIAt__dI', 'https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b', 'https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html', 'https://asec.ahnlab.com/en/33600/', 'https://threatresearch.ext.hp.com/emotets-return-whats-different/', 'https://forensicitguy.github.io/emotet-excel4-macro-analysis/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf', 'https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/', 'https://unit42.paloaltonetworks.com/new-emotet-infection-method/', 'https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/', 'https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/', 'https://twitter.com/ContiLeaks/status/1498614197202079745', 'https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/', 'https://cert.grnet.gr/en/blog/reverse-engineering-emotet/', 'https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams', 'https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/', 'https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/', 'https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/', 'https://securelist.com/emotet-modules-and-recent-attacks/106290/', 'https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii', 'https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/', 'https://d00rt.github.io/emotet_network_protocol/', 'https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/', 'https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html', 'https://github.com/cecio/EMOTET-2020-Reversing', 'https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html', 'https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html', 'https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/', 'https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html', 'https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment', 'https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.zscaler.com/blogs/security-research/return-emotet-malware', 'https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/', 'https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf', 'https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf', 'https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros', 'https://securelist.com/the-chronicles-of-emotet/99660/', 'https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes', 'https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection', 'https://team-cymru.com/blog/2021/01/27/taking-down-emotet/', 'https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor', 'https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection', 'https://threatpost.com/emotet-spreading-malicious-excel-files/178444/', 'https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/', 'https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html', 'https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903', 'https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/', 'https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates', 'https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html', 'https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf', 'https://www.deepinstinct.com/blog/the-re-emergence-of-emotet', 'https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html', 'http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1', 'https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html', 'https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/', 'https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html', 'https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware', 'https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/', 'https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89', 'https://persianov.net/emotet-malware-analysis-part-1', 'https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/', 'https://twitter.com/eduardfir/status/1461856030292422659', 'https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/', 'https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html', 'https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/', 'https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break', 'https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/', 'https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html', 'https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html', 'https://www.youtube.com/watch?v=_BLOmClsSpc', 'https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/', 'https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/', 'https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html', 'https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles', 'https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/', 'https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/', 'https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728', 'https://www.jpcert.or.jp/english/at/2019/at190044.html', 'https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them', 'https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet', 'https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/', 'https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf', 'https://isc.sans.edu/diary/rss/28254', 'https://www.youtube.com/watch?v=8PHCZdpNKrw', 'https://www.youtube.com/watch?v=q8of74upT_g', 'https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/', 'https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code', 'https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes', 'https://www.tgsoft.it/files/report/download.asp?id=7481257469', 'https://community.riskiq.com/article/2cd1c003', 'https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action', 'https://cyber.wtf/2021/11/15/guess-whos-back/', 'https://blogs.cisco.com/security/emotet-is-back', 'https://www.hornetsecurity.com/en/security-information/emotet-is-back/', 'https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection', 'https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.youtube.com/watch?v=AkZ5TYBqcU4', 'https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf', 'https://twitter.com/Cryptolaemus1/status/1516535343281025032', 'https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/', 'https://pl-v.github.io/plv/posts/Emotet-unpacking/', 'https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/', 'https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf', 'https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html', 'https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return', 'https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/', 'https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/', 'https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/', 'https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure', 'https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html', 'https://unit42.paloaltonetworks.com/c2-traffic/', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet', 'https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf', 'https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/', 'https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/', 'https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html', 'https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/', 'https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled', 'https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/', 'https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022', 'https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/', 'https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents', 'https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack', 'https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf', 'https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware', 'https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return', 'https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69', 'https://www.digitalshadows.com/blog-and-research/emotet-disruption/', 'https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/', 'https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus', 'https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/', 'https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures', 'https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/', 'https://muha2xmad.github.io/unpacking/emotet-part-1/', 'https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/', 'https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/', 'https://github.com/d00rt/emotet_research', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612', 'https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office', 'https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/', 'https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html', 'https://intel471.com/blog/conti-emotet-ransomware-conti-leaks', 'https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage', 'https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis', 'https://muha2xmad.github.io/unpacking/emotet-part-2/', 'https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation', 'https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html', 'https://intel471.com/blog/emotet-takedown-2021/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf', 'https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol', 'https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/', 'https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/', 'https://unit42.paloaltonetworks.com/emotet-command-and-control/', 'https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak', 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service', 'https://twitter.com/milkr3am/status/1354459859912192002', 'https://cyber.wtf/2022/03/23/what-the-packer/', 'https://twitter.com/raashidbhatt/status/1237853549200936960', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://paste.cryptolaemus.com', 'https://www.cert.pl/en/news/single/whats-up-emotet/', 'https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html', 'https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html', 'https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/', 'https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/', 'https://blog.threatlab.info/malware-analysis-emotet-infection/', 'https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128', 'https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/', 'https://spamauditor.org/2020/10/the-many-faces-of-emotet/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf', 'https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf', 'https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx', 'https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html', 'https://github.com/mauronz/binja-emotet', 'https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot', 'https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf', 'https://www.hornetsecurity.com/en/threat-research/comeback-emotet/', 'https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers', 'https://www.youtube.com/watch?v=5_-oR_135ss', 'https://www.cert.pl/en/news/single/analysis-of-emotet-v4/', 'https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/', 'https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/', 'https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/', 'https://research.checkpoint.com/emotet-tricky-trojan-git-clones/', 'https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much', 'https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/', 'http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/', 'https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/', 'https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/', 'https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html', 'https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video', 'https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/', 'https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure', 'https://www.atomicmatryoshka.com/post/malware-headliners-emotet', 'https://blog.talosintelligence.com/2020/11/emotet-2020.html', 'https://isc.sans.edu/diary/rss/27036', 'https://www.us-cert.gov/ncas/alerts/TA18-201A', 'https://www.esentire.com/security-advisories/emotet-activity-identified', 'https://www.bitsight.com/blog/emotet-botnet-rises-again', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/', 'https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships', 'https://blogs.vmware.com/security/2022/05/emotet-config-redux.html', 'https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/', 'https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/', 'https://isc.sans.edu/diary/28044', 'https://experience.mandiant.com/trending-evil-2/p/1', 'https://www.lac.co.jp/lacwatch/alert/20211119_002801.html', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one', 'https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack', 'http://ropgadget.com/posts/defensive_pcres.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise', 'https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/', 'https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf', 'https://unit42.paloaltonetworks.com/domain-parking/', 'https://www.bitsight.com/blog/emotet-smb-spreader-back', 'https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/', 'https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf', 'https://www.lac.co.jp/lacwatch/people/20201106_002321.html', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure', 'https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/', 'https://hatching.io/blog/powershell-analysis', 'https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/', 'https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc', 'https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/', 'https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html', 'https://persianov.net/emotet-malware-analysis-part-2', 'https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['Geodo', 'Heodo']}\n", "Empire Downloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader', 'https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html', 'https://redcanary.com/blog/getsystem-offsec/', 'https://twitter.com/thor_scanner/status/992036762515050496', 'https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/', 'https://www.secureworks.com/research/threat-profiles/bronze-firestone', 'https://unit42.paloaltonetworks.com/atoms/obscureserpens/', 'https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/', 'http://www.secureworks.com/research/threat-profiles/gold-heron', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://us-cert.cisa.gov/ncas/alerts/aa20-275a', 'https://www.secureworks.com/research/threat-profiles/gold-ulrick', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-249a', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-burlap', 'https://paper.seebug.org/1301/', 'https://www.secureworks.com/research/threat-profiles/gold-heron', 'https://www.secureworks.com/research/threat-profiles/gold-drake', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf', 'https://attack.mitre.org/groups/G0096', 'https://www.mandiant.com/media/12596/download']}\n", "Emudbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.emudbot', 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp']}\n", "Enfal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal', 'https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf', 'https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/', 'https://attack.mitre.org/groups/G0011', 'https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/', 'https://www.secureworks.com/research/threat-profiles/bronze-palace'], 'synonyms': ['Lurid']}\n", "Entropy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.entropy', 'https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "Enviserv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.enviserv', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Enviserv.A']}\n", "EnvyScout {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.envyscout', 'https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/', 'https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/', 'https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf', 'https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/']}\n", "Epsilon Red {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red', 'https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/', 'https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://news.sophos.com/en-us/2021/05/28/epsilonred/'], 'synonyms': ['BlackCocaine']}\n", "EquationDrug {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug', 'https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/', 'https://mp.weixin.qq.com/s/3ZQhn32NB6p-LwndB2o2zQ', 'https://securelist.com/inside-the-equationdrug-espionage-platform/69203/', 'http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html']}\n", "Equationgroup (Sorting) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup', 'https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html', 'https://laanwj.github.io/2016/09/01/tadaqueos.html', 'https://laanwj.github.io/2016/08/28/feintcloud.html', 'https://laanwj.github.io/2016/09/13/blatsting-rsa.html', 'https://laanwj.github.io/2016/08/22/blatsting.html', 'https://laanwj.github.io/2016/09/23/seconddate-adventures.html', 'https://laanwj.github.io/2016/09/11/buzzdirection.html', 'https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/', 'https://laanwj.github.io/2016/09/17/seconddate-cnc.html', 'https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html']}\n", "Erbium Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer', 'https://twitter.com/abuse_ch/status/1565290110572175361']}\n", "Erebus (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus', 'https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/']}\n", "Eredel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel', 'https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab']}\n", "Erica Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.erica_ransomware', 'https://www.dropbox.com/s/f4uulu2rhyj4leb/Girl.scr_malware_report.pdf?dl=0']}\n", "Eris {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eris', 'https://lekstu.ga/posts/go-under-the-hood-eris/']}\n", "ESPecter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.especter', 'https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html', 'https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/']}\n", "EternalRocks {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks', 'https://github.com/stamparm/EternalRocks', 'https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/'], 'synonyms': ['MicroBotMassiveNet']}\n", "EternalPetya {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya', 'http://www.intezer.com/notpetya-returns-bad-rabbit/', 'https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html', 'https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/', 'https://securelist.com/big-threats-using-code-similarity-part-1/97239/', 'https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/', 'https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/', 'https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/', 'https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/', 'https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4', 'https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://attack.mitre.org/groups/G0034', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://www.secureworks.com/research/threat-profiles/iron-viking', 'https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html', 'https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/', 'https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik', 'https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf', 'https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html', 'https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer', 'https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/', 'https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/', 'https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/', 'https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine', 'https://www.riskiq.com/blog/labs/badrabbit/', 'https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/', 'https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/', 'https://securelist.com/bad-rabbit-ransomware/82851/', 'https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf', 'https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b', 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games', 'https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/', 'https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf', 'https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/', 'https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/', 'https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna', 'https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware', 'https://istari-global.com/spotlight/the-untold-story-of-notpetya/', 'https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/', 'https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/', 'http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html', 'https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks', 'https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html', 'https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html', 'http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html', 'https://gvnshtn.com/maersk-me-notpetya/', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/', 'https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/', 'http://blog.talosintelligence.com/2017/10/bad-rabbit.html', 'https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/', 'https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf', 'https://securelist.com/schroedingers-petya/78870/', 'https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/', 'https://securelist.com/from-blackenergy-to-expetr/78937/'], 'synonyms': ['BadRabbit', 'Diskcoder.C', 'ExPetr', 'NonPetya', 'NotPetya', 'Nyetya', 'Petna', 'Pnyetya', 'nPetya']}\n", "Eternity Clipper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_clipper', 'https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/', 'https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/']}\n", "Eternity Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_ransomware', 'https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/', 'https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/', 'https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/']}\n", "Eternity Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_stealer', 'https://blogs.blackberry.com/en/2022/06/threat-spotlight-eternity-project-maas-goes-on-and-on', 'https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/', 'https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/', 'https://blog.sekoia.io/eternityteam-a-new-prominent-threat-group-on-underground-forums/', 'https://twitter.com/3xp0rtblog/status/1509601846494695438', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://ke-la.com/information-stealers-a-new-landscape/']}\n", "Eternity Worm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_worm', 'https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/', 'https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/', 'https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/']}\n", "EtumBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot', 'https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html', 'https://www.secureworks.com/research/threat-profiles/bronze-globe', 'https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise'], 'synonyms': ['HighTide']}\n", "Evilbunny {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny', 'https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/', 'https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope', 'https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/']}\n", "EvilGrab {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab', 'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf', 'https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf'], 'synonyms': ['Vidgrab']}\n", "EVILNUM (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum', 'https://github.com/eset/malware-ioc/tree/master/evilnum', 'https://docs.broadcom.com/doc/ransom-and-malware-attacks-on-financial-services-institutions', 'https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/', 'https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities', 'https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/', 'https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets', 'https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A']}\n", "EvilPlayout {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.evilplayout', 'https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/']}\n", "EvilPony {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony', 'https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/'], 'synonyms': ['CREstealer']}\n", "Evrial {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial', 'https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/']}\n", "Exaramel (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf', 'https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/', 'https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf', 'https://www.wired.com/story/sandworm-centreon-russia-hack/', 'https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/', 'https://attack.mitre.org/groups/G0034', 'https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf']}\n", "Excalibur {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur', 'https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies'], 'synonyms': ['Saber', 'Sabresac']}\n", "MS Exchange Tool {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool', 'https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://github.com/nccgroup/Royal_APT']}\n", "Exile RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat', 'https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html']}\n", "ExMatter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration', 'https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool', 'https://twitter.com/knight0x07/status/1461787168037240834?s=20']}\n", "Exorcist {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist', 'https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81']}\n", "Expiro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro', 'https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/', 'https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro'], 'synonyms': ['Xpiro']}\n", "Xtreme RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat', 'https://citizenlab.ca/2015/12/packrat-report/', 'https://www.secureworks.com/research/threat-profiles/aluminum-saratoga', 'https://blogs.360.cn/post/APT-C-44.html', 'https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017', 'https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html', 'https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat', 'https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g', 'https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html', 'https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1'], 'synonyms': ['ExtRat']}\n", "Eye Pyramid {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid', 'http://blog.talosintel.com/2017/01/Eye-Pyramid.html', 'https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/']}\n", "EYService {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice', 'https://blog.malwarelab.pl/posts/nazar_eyservice_comm/', 'https://www.epicturla.com/blog/the-lost-nazar', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://blog.malwarelab.pl/posts/nazar_eyservice/', 'https://research.checkpoint.com/2020/nazar-spirits-of-the-past/']}\n", "FakeRean {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean', 'https://0x3asecurity.wordpress.com/2015/11/30/134260124544/', 'https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv'], 'synonyms': ['Braviax']}\n", "FakeTC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc', 'http://www.welivesecurity.com/2015/07/30/operation-potao-express/', 'https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf']}\n", "FakeWord {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword', 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/']}\n", "fancyfilter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter', 'https://www.epicturla.com/previous-works/hitb2020-voltron-sta'], 'synonyms': ['0xFancyFilter']}\n", "Fanny {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny', 'https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1', 'https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/', 'https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf', 'https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/', 'https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/'], 'synonyms': ['DEMENTIAWHEEL']}\n", "FantomCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt', 'https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/']}\n", "Farseer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer', 'https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/', 'https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/', 'https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/']}\n", "FastLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader']}\n", "FastPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos', 'https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568', 'https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/', 'http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/', 'http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf']}\n", "FatalRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat', 'https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html', 'https://www.youtube.com/watch?v=gjvnVZc11Vg', 'https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html', 'https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis']}\n", "FatDuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke', 'https://www.secureworks.com/research/threat-profiles/iron-hemlock', 'https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf']}\n", "FCT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fct', 'https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html']}\n", "Felismus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus', 'https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments']}\n", "Felixroot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot', 'https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html', 'https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf', 'https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257']}\n", "fengine {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fengine', 'https://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt']}\n", "Feodo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo', 'https://feodotracker.abuse.ch/', 'http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html', 'https://en.wikipedia.org/wiki/Maksim_Yakubets', 'http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html', 'https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/'], 'synonyms': ['Bugat', 'Cridex']}\n", "FFDroider {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ffdroider', 'https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html', 'https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users']}\n", "Ficker Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer', 'https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/', 'https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware', 'https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a', 'https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market', 'https://twitter.com/3xp0rtblog/status/1321209656774135810', 'https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf']}\n", "FileIce {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom', 'https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/']}\n", "Filerase {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail']}\n", "Final1stSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy', 'https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/']}\n", "FindPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://blogs.cisco.com/security/talos/poseidon', 'https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/'], 'synonyms': ['Poseidon']}\n", "FinFisher RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher', 'https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/', 'https://securelist.com/finspy-unseen-findings/104322/', 'https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/', 'http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation', 'https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues', 'https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf', 'https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization', 'https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization', 'https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process', 'https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization', 'https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html', 'https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye', 'https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2', 'https://github.com/RolfRolles/FinSpyVM', 'https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html', 'https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/', 'https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html', 'https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/', 'https://securelist.com/apt-trends-report-q2-2019/91897/'], 'synonyms': ['FinSpy']}\n", "Fireball {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball', 'http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/']}\n", "FireBird RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.firebird_rat', 'https://twitter.com/casual_malware/status/1237775601035096064']}\n", "Fire Chili {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili', 'https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html', 'https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits']}\n", "FireCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt', 'https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/']}\n", "FireMalv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv', 'https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf']}\n", "FirstRansom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom', 'https://twitter.com/JaromirHorejsi/status/815949909648150528']}\n", "FishMaster {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster', 'https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E', 'https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/'], 'synonyms': ['JollyJellyfish']}\n", "FiveHands {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands', 'https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a', 'https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue', 'https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire', 'https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-249a', 'https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/', 'https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html'], 'synonyms': ['Thieflock']}\n", "Flagpro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro', 'https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech', 'https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/', 'https://vblocalhost.com/uploads/VB2021-50.pdf', 'https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf', 'https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro'], 'synonyms': ['BUSYICE']}\n", "Flame {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flame', 'https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache', 'https://www.crysys.hu/publications/files/skywiper.pdf', 'https://securelist.com/the-flame-questions-and-answers-51/34344/', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments'], 'synonyms': ['sKyWIper']}\n", "FLASHFLOOD {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf']}\n", "FlawedAmmyy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy', 'https://attack.mitre.org/software/S0381/', 'https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/', 'https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do', 'https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south', 'https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat', 'https://www.secureworks.com/research/threat-profiles/gold-tahoe', 'https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/', 'https://habr.com/ru/company/pt/blog/475328/', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.youtube.com/watch?v=N4f2e8Mygag', 'https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930']}\n", "FlawedGrace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://twitter.com/MsftSecIntel/status/1273359829390655488', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem', 'https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant', 'https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/', 'https://www.secureworks.com/research/threat-profiles/gold-tahoe', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace'], 'synonyms': ['GraceWire']}\n", "FlexiSpy (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy', 'https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/']}\n", "FlokiBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot', 'http://adelmas.com/blog/flokibot.php', 'http://blog.talosintel.com/2016/12/flokibot-collab.html#more', 'https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/', 'https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html', 'https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/', 'https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/', 'https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/']}\n", "FlowCloud {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud', 'https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/', 'https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new', 'https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis', 'https://nao-sec.org/2021/01/royal-road-redive.html']}\n", "FlowerShop {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf']}\n", "Floxif {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif', 'https://www.mandiant.com/resources/pe-file-infecting-malware-ot', 'https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library']}\n", "Flusihoc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc', 'https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/']}\n", "FlyingDutchman {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman', 'https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/']}\n", "FlyStudio {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.flystudio', 'https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/']}\n", "Fobber {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber', 'https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/', 'http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html', 'https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber', 'http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html', 'http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf']}\n", "FONIX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix', 'https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/', 'https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/']}\n", "Formbook {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook', 'https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent', 'https://www.connectwise.com/resources/formbook-remcos-rat', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf', 'https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/', 'https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html', 'https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware', 'https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption', 'https://blog.talosintelligence.com/2018/06/my-little-formbook.html', 'https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/', 'https://blog.netlab.360.com/purecrypter', 'https://cert.gov.ua/article/955924', 'https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/', 'http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html', 'https://news.sophos.com/en-us/2020/05/14/raticate/', 'https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://link.medium.com/uaBiIXgUU8', 'https://isc.sans.edu/diary/26806', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://www.lac.co.jp/lacwatch/report/20220307_002893.html', 'https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/', 'http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer', 'https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html', 'https://youtu.be/aQwnHIlGSBM', 'https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails', 'https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/', 'https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I', 'https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view', 'https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf', 'https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/', 'https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html', 'https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/', 'https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/', 'https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html', 'https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/', 'https://asec.ahnlab.com/en/32149/', 'https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii', 'https://usualsuspect.re/article/formbook-hiding-in-plain-sight', 'https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/', 'https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['win.xloader']}\n", "FormerFirstRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat', 'https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/', 'https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies', 'https://unit42.paloaltonetworks.com/atoms/shallowtaurus/', 'https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/'], 'synonyms': ['ffrat']}\n", "FortuneCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fortunecrypt', 'https://securelist.com/ransomware-two-pieces-of-good-news/93355/']}\n", "FoxSocket {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.foxsocket', 'https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html']}\n", "FRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.frat', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md']}\n", "Freenki Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki', 'https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/', 'http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html', 'https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html', 'https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html']}\n", "FriedEx {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex', 'https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/', 'https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/', 'https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/', 'https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/', 'http://www.secureworks.com/research/threat-profiles/gold-drake', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/', 'https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/', 'https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-drake', 'https://killingthebear.jorgetesta.tech/actors/evil-corp'], 'synonyms': ['BitPaymer', 'DoppelPaymer', 'IEncrypt']}\n", "win.fujinama {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fujinama', 'https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa']}\n", "FunnySwitch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.funnyswitch', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2', 'https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf'], 'synonyms': ['RouterGod']}\n", "FunnyDream {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager', 'https://nao-sec.org/2021/01/royal-road-redive.html', 'https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf']}\n", "Furtim {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim', 'https://sentinelone.com/blogs/sfg-furtims-parent/']}\n", "FuxSocy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy', 'http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html', 'https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/']}\n", "Gacrux {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux', 'https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader/']}\n", "GalaxyLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader']}\n", "gamapos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos', 'http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf'], 'synonyms': ['pios']}\n", "Gameover DGA {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga']}\n", "Gameover P2P {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf', 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware', 'https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state', 'https://www.wired.com/2017/03/russian-hacker-spy-botnet/', 'https://www.wired.com/?p=2171700', 'https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf', 'https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/', 'https://www.lawfareblog.com/what-point-these-nation-state-indictments', 'https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf', 'https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf'], 'synonyms': ['GOZ', 'Mapp', 'ZeuS P2P']}\n", "Gamotrol {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol']}\n", "Gandcrab {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab', 'https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html', 'https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html', 'https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/', 'https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html', 'https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf', 'https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/', 'https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/', 'https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/', 'https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/', 'http://www.secureworks.com/research/threat-profiles/gold-garden', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/', 'https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/', 'https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom', 'https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/', 'https://vimeo.com/449849549', 'https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/', 'https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/', 'https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/', 'https://unit42.paloaltonetworks.com/revil-threat-actors/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/', 'http://asec.ahnlab.com/1145', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/', 'https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/', 'https://isc.sans.edu/diary/23417', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights', 'https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html', 'https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/', 'http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/', 'https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind', 'https://www.secureworks.com/research/threat-profiles/gold-garden', 'https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html'], 'synonyms': ['GrandCrab']}\n", "Gasket {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gasket', 'https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/']}\n", "Gaudox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox', 'http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html']}\n", "Gauss {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss', 'http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf']}\n", "Gazer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer', 'https://github.com/eset/malware-ioc/tree/master/turla', 'https://www.youtube.com/watch?v=Pvzhtjl86wc', 'https://securelist.com/shedding-skin-turlas-fresh-faces/88069/', 'https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/', 'https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/', 'https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf', 'https://securelist.com/introducing-whitebear/81638/'], 'synonyms': ['WhiteBear']}\n", "GCleaner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://bazaar.abuse.ch/browse/signature/GCleaner/']}\n", "gcman {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman', 'https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/']}\n", "Gdrive {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gdrive', 'https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/', 'https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/'], 'synonyms': ['DoomDrive', 'GoogleDriveSucks']}\n", "GearInformer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer', 'https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html']}\n", "GEARSHIFT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift', 'https://content.fireeye.com/apt-41/rpt-apt41/']}\n", "GEMCUTTER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf']}\n", "Get2 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.get2', 'https://intel471.com/blog/ta505-get2-loader-malware-december-2020/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader', 'https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7', 'https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-tahoe', 'https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.goggleheadedhacker.com/blog/post/13', 'https://github.com/Tera0017/TAFOF-Unpacker', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update', 'https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md'], 'synonyms': ['FRIENDSPEAK', 'GetandGo']}\n", "GetMail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "GetMyPass {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/', 'https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html', 'https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-26-getmypass-point-of-sale-malware.md'], 'synonyms': ['getmypos']}\n", "get_pwd {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.get_pwd', 'https://ihonker.org/thread-1504-1-1.html']}\n", "Gh0stTimes {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes', 'https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html']}\n", "Ghole {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole', 'http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf', 'https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/', 'https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf'], 'synonyms': ['CoreImpact (Modified)', 'Gholee']}\n", "GhostEmperor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor', 'https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf', 'https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/']}\n", "Gh0stnet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet', 'http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html', 'https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf', 'https://www.nartv.org/2019/03/28/10-years-since-ghostnet/', 'https://en.wikipedia.org/wiki/GhostNet'], 'synonyms': ['Remosh']}\n", "GhostAdmin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin', 'https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html', 'https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/'], 'synonyms': ['Ghost iBot']}\n", "Ghost RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat', 'https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats', 'https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/', 'https://hackcon.org/uploads/327/05%20-%20Kwak.pdf', 'https://risky.biz/whatiswinnti/', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia', 'https://s.tencent.com/research/report/836.html', 'https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf', 'https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://attack.mitre.org/groups/G0026', 'https://www.secureworks.com/research/threat-profiles/bronze-edison', 'https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new', 'https://www.intezer.com/blog/malware-analysis/chinaz-relations/', 'https://asec.ahnlab.com/en/32572/', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf', 'https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf', 'https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits', 'https://blog.cylance.com/the-ghost-dragon', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html', 'https://unit42.paloaltonetworks.com/atoms/iron-taurus/', 'https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html', 'https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/', 'https://www.datanet.co.kr/news/articleView.html?idxno=133346', 'https://attack.mitre.org/groups/G0011', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/', 'https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf', 'https://www.intezer.com/blog-chinaz-relations/', 'https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/', 'https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html', 'https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack', 'https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/', 'http://www.malware-traffic-analysis.net/2018/01/04/index.html', 'https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2', 'https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html', 'https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/', 'https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf', 'https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf', 'https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf', 'https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/', 'https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report', 'https://www.secureworks.com/research/threat-profiles/bronze-globe', 'https://blog.talosintelligence.com/2019/09/panda-evolution.html', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-fleetwood', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/', 'https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox', 'http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf', 'https://attack.mitre.org/groups/G0001/', 'https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html', 'http://www.nartv.org/mirror/ghostnet.pdf', 'https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html', 'http://www.hexblog.com/?p=1248', 'https://attack.mitre.org/groups/G0096', 'https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/', 'https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf', 'https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41', 'https://www.prevailion.com/the-gh0st-remains-the-same-2/'], 'synonyms': ['Farfli', 'Gh0st RAT', 'PCRat']}\n", "Gibberish {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish', 'https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html']}\n", "Giffy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.giffy', 'https://vx-underground.org/archive/APTs/2016/2016.09.06/Buckeye.pdf']}\n", "Ginwui {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ginwui', 'https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process']}\n", "Ginzo Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ginzo', 'https://twitter.com/struppigel/status/1506933328599044100', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://www.govcert.ch/downloads/whitepapers/Unflattening-ConfuserEx-Code-in-IDA.pdf']}\n", "Glasses {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses'], 'synonyms': ['Wordpress Bruteforcer']}\n", "GlassRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat', 'https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat']}\n", "GlitchPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos', 'https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html']}\n", "GlobeImposter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter', 'https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.emsisoft.com/ransomware-decryption-tools/globeimposter', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant', 'https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-swathmore', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run', 'https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/', 'https://isc.sans.edu/diary/23417', 'https://blog.ensilo.com/globeimposter-ransomware-technical', 'https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/', 'https://asec.ahnlab.com/ko/30284/'], 'synonyms': ['Fake Globe']}\n", "Globe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom']}\n", "GlooxMail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "Glupteba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba', 'https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html', 'https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/', 'https://community.riskiq.com/article/2a36a7d2/description', 'https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728', 'https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/', 'https://blog.google/technology/safety-security/new-action-combat-cyber-crime/', 'https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/', 'https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/', 'https://blog.google/threat-analysis-group/disrupting-glupteba-operation/', 'https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451', 'https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf', 'http://resources.infosecinstitute.com/tdss4-part-1/', 'https://habr.com/ru/company/solarsecurity/blog/578900/', 'https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html', 'https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/', 'https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/', 'https://labs.k7computing.com/?p=22319', 'https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter', 'https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf']}\n", "GoBotKR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gobotkr', 'https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/']}\n", "goCryptoLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gocryptolocker', 'https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html', 'https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go', 'https://twitter.com/GrujaRS/status/1254657823478353920']}\n", "Godlike12 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.godlike12', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/', 'https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/'], 'synonyms': ['GOSLU']}\n", "goDoH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.godoh', 'https://github.com/sensepost/goDoH', 'https://sensepost.com/blog/2018/waiting-for-godoh/']}\n", "Godzilla Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader', 'https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/']}\n", "Gofing {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gofing', 'https://twitter.com/struppigel/status/1498229809675214849'], 'synonyms': ['Velocity Polymorphic Compression Malware']}\n", "Goggles {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "GoGoogle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gogoogle', 'https://labs.bitdefender.com/2020/05/gogoogle-decryption-tool/'], 'synonyms': ['BossiTossi']}\n", "GoldenEye {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye', 'https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/', 'https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/'], 'synonyms': ['Petya/Mischa']}\n", "GoldenHelper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenhelper', 'https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/']}\n", "GoldenSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy', 'https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf', 'https://www.ic3.gov/Media/News/2020/201103-1.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/', 'https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/', 'https://www.ic3.gov/media/news/2020/200728.pdf', 'https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf']}\n", "GoldMax {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://securelist.com/extracting-type-information-from-go-binaries/104715/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/', 'https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/', 'https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/'], 'synonyms': ['SUNSHUTTLE']}\n", "GoldDragon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon', 'https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf', 'https://www.youtube.com/watch?v=rfzmHjZX70s', 'https://asec.ahnlab.com/en/31089/', 'https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html'], 'synonyms': ['Lovexxx']}\n", "Golroted {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted', 'http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html']}\n", "GoMet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gomet', 'https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html']}\n", "Gomorrah stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer', 'https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April', 'https://twitter.com/vxunderground/status/1469713783308357633']}\n", "Goodor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks', 'https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/', 'https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control'], 'synonyms': ['Fuerboos']}\n", "GoogleDrive RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat', 'https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf']}\n", "GooPic Drooper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic', 'https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/']}\n", "GootKit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit', 'https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/', 'https://www.certego.net/en/news/malware-tales-gootkit/', 'https://www.youtube.com/watch?v=242Tn0IL2jE', 'https://dannyquist.github.io/gootkit-reversing-ghidra/', 'https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/', 'https://www.us-cert.gov/ncas/alerts/TA16-336A', 'https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/', 'https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/', 'https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/', 'https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection', 'https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html', 'https://www.youtube.com/watch?v=QgUlPvEE4aw', 'https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/', 'https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/', 'http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html', 'https://securelist.com/gootkit-the-cautious-trojan/102731/', 'https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728', 'https://news.drweb.com/show/?i=4338&lng=en', 'https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps', 'http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html', 'https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/', 'https://twitter.com/jhencinski/status/1464268732096815105', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan', 'https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope', 'https://twitter.com/MsftSecIntel/status/1366542130731094021', 'https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf', 'https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html', 'https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/', 'https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md', 'http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/', 'https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055'], 'synonyms': ['Waldek', 'Xswkit', 'talalpek']}\n", "Gophe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe', 'https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville', 'https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques']}\n", "GOTROJ {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gotroj', 'https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf']}\n", "GovRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat', 'https://www.yumpu.com/en/document/view/55930175/govrat-v20']}\n", "Gozi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html', 'https://www.secureworks.com/research/threat-profiles/gold-swathmore', 'https://www.youtube.com/watch?v=BcFbkjUVc7o', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://github.com/mlodic/ursnif_beacon_decryptor', 'https://lokalhost.pl/gozi_tree.txt', 'https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007', 'http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/', 'https://www.secureworks.com/research/gozi', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'], 'synonyms': ['CRM', 'Gozi CRM', 'Papras', 'Snifula', 'Ursnif']}\n", "GPCode {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode', 'https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2', 'http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/', 'https://de.securelist.com/analysis/59479/erpresser/', 'http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html']}\n", "GrabBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot', 'http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data']}\n", "Graftor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor', 'http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html']}\n", "GRAMDOOR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gramdoor', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf', 'https://www.mandiant.com/resources/telegram-malware-iranian-espionage', 'https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611', 'https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html'], 'synonyms': ['Small Sieve']}\n", "Grandoreiro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season', 'http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853', 'https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals', 'https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf', 'https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/', 'https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/', 'https://securelist.com/the-tetrade-brazilian-banking-malware/97779/']}\n", "GrandSteal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grandsteal', 'http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html']}\n", "Graphite {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite', 'https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html']}\n", "Graphon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.graphon', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia']}\n", "GraphSteel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel', 'https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://cert.gov.ua/article/38374', 'https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/', 'https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830', 'https://www.mandiant.com/resources/spear-phish-ukrainian-entities', 'https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/']}\n", "Grateful POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos', 'http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html', 'https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/', 'https://content.fireeye.com/m-trends/rpt-m-trends-2020', 'https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf', 'https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/', 'http://www.secureworks.com/research/threat-profiles/gold-franklin', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season'], 'synonyms': ['FrameworkPOS', 'SCRAPMINT', 'trinity']}\n", "Gratem {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem']}\n", "Gravity RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat', 'https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/', 'https://securelist.com/gravityrat-the-spy-returns/99097/', 'https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/']}\n", "GREASE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grease', 'https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/']}\n", "GreenShaitan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan', 'https://blog.cylance.com/spear-a-threat-actor-resurfaces'], 'synonyms': ['eoehttp']}\n", "GreyEnergy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy', 'https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/', 'https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/', 'https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://securelist.com/greyenergys-overlap-with-zebrocy/89506/', 'https://attack.mitre.org/groups/G0034', 'https://github.com/NozomiNetworks/greyenergy-unpacker', 'https://www.secureworks.com/research/threat-profiles/iron-viking', 'https://www.eset.com/int/greyenergy-exposed/']}\n", "GRILLMARK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark', 'https://content.fireeye.com/m-trends/rpt-m-trends-2019', 'https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/'], 'synonyms': ['Hellsing Backdoor']}\n", "GRIMAGENT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent', 'https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets', 'https://blog.group-ib.com/grimagent', 'https://twitter.com/bryceabdo/status/1352359414746009608', 'https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer']}\n", "GrimPlant {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant', 'https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/', 'https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://cert.gov.ua/article/38374', 'https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/', 'https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830', 'https://www.mandiant.com/resources/spear-phish-ukrainian-entities', 'https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/']}\n", "GROK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grok', 'https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/']}\n", "GRUNT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt', 'https://www.telsy.com/download/5776/?uid=aca91e397e', 'https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html', 'https://twitter.com/ItsReallyNick/status/1208141697282117633', 'https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/']}\n", "gsecdump {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump', 'https://attack.mitre.org/wiki/Technique/T1003']}\n", "GUP Proxy Tool {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy', 'https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks']}\n", "Gwisin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.gwisin', 'https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf', 'https://asec.ahnlab.com/en/37483']}\n", "H1N1 Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1', 'https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities']}\n", "HabitsRAT (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.habitsrat', 'https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/', 'https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers']}\n", "Hacksfase {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "HackSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy', 'https://github.com/ratty3697/HackSpy-Trojan-Exploit']}\n", "Hades {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hades', 'https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox', 'https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf', 'https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure', 'https://www.accenture.com/us-en/blogs/security/ransomware-hades', 'https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities', 'https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware', 'https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp', 'https://twitter.com/inversecos/status/1381477874046169089?s=20', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/', 'http://www.secureworks.com/research/threat-profiles/gold-winter']}\n", "Hakbit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit', 'https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/', 'https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/', 'https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/', 'https://unit42.paloaltonetworks.com/thanos-ransomware/', 'http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html', 'https://unit42.paloaltonetworks.com/prometheus-ransomware/', 'https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants', 'https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland', 'https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware', 'https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/', 'https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/', 'https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.justice.gov/usao-edny/press-release/file/1505981/download', 'https://securelist.com/cis-ransomware/104452/'], 'synonyms': ['Thanos Ransomware']}\n", "Hamweq {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq', 'https://www.youtube.com/watch?v=JPvcLLYR0tE', 'https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf', 'https://www.youtube.com/watch?v=FAFuSO9oAl0', 'https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/']}\n", "Hancitor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor', 'https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/', 'https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon', 'https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/', 'https://twitter.com/TheDFIRReport/status/1359669513520873473', 'https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/', 'https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/', 'https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html', 'https://muha2xmad.github.io/unpacking/hancitor/', 'https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/', 'https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/', 'https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/', 'https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/', 'https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak', 'https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/', 'https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure', 'https://blog.group-ib.com/switching-side-jobs', 'https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8', 'https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb', 'https://cyber-anubis.github.io/malware%20analysis/hancitor/', 'https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/', 'https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618', 'https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor', 'https://isc.sans.edu/diary/rss/27618', 'https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity', 'https://muha2xmad.github.io/malware-analysis/fullHancitor/', 'https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html', 'https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/', 'https://pid4.io/posts/how_to_write_a_hancitor_extractor/', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/', 'https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/', 'https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear', 'https://www.uperesia.com/hancitor-packer-demystified', 'https://blog.group-ib.com/prometheus-tds', 'https://www.malware-traffic-analysis.net/2021/09/29/index.html', 'https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping', 'https://malware-traffic-analysis.net/2021/09/29/index.html', 'https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5', 'https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader', 'https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/', 'https://blog.group-ib.com/hancitor-cuba-ransomware'], 'synonyms': ['Chanitor']}\n", "HappyLocker (HiddenTear?) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker']}\n", "HARDRAIN (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf']}\n", "Harnig {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig', 'https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html', 'https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html'], 'synonyms': ['Piptea']}\n", "Haron Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.haron', 'https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/', 'https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b']}\n", "HavanaCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.havana_crypt', 'https://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html']}\n", "Havex RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat', 'https://www.f-secure.com/weblog/archives/00002718.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-083a', 'https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/', 'https://vblocalhost.com/uploads/VB2021-Slowik.pdf', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://www.secureworks.com/research/threat-profiles/iron-liberty']}\n", "HAWKBALL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball', 'https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html']}\n", "HawkEye Keylogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/', 'https://www.secureworks.com/research/threat-profiles/gold-galleon', 'http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter', 'https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html', 'https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/', 'https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html', 'https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/', 'http://www.secureworks.com/research/threat-profiles/gold-galleon', 'https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/', 'https://www.cyberbit.com/hawkeye-malware-keylogging-technique/', 'https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry', 'https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/', 'https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md'], 'synonyms': ['HawkEye', 'HawkEye Reborn', 'Predator Pain']}\n", "HDMR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr', 'https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1', 'http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html'], 'synonyms': ['GO-SPORT']}\n", "HDRoot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hdroot', 'https://securelist.com/i-am-hdroot-part-1/72275/', 'https://securelist.com/i-am-hdroot-part-2/72356/']}\n", "HeaderTip {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.headertip', 'https://blogs.blackberry.com/en/2022/04/threat-thursday-headertip-backdoor-shows-attackers-from-china-preying-on-ukraine', 'https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://cert.gov.ua/article/38097', 'https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip']}\n", "Helauto {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "HelloBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hellobot', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt']}\n", "HelloKitty (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty', 'https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html', 'https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape', 'https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/', 'https://www.ic3.gov/Media/News/2021/211029.pdf', 'https://twitter.com/fwosar/status/1359167108727332868', 'https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/', 'https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/', 'https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks', 'https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group', 'https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire', 'https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-249a', 'https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html', 'https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/', 'https://unit42.paloaltonetworks.com/emerging-ransomware-groups/', 'https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html', 'https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/'], 'synonyms': ['KittyCrypt']}\n", "Helminth {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth', 'https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability', 'https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/', 'https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/', 'http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae']}\n", "Heloag {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag', 'https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/']}\n", "Herbst {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst', 'https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware']}\n", "Heriplor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor', 'https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html', 'https://vblocalhost.com/uploads/VB2021-Slowik.pdf', 'https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks']}\n", "Hermes {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html', 'https://www.youtube.com/watch?v=9nuo-AGg4p4', 'https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf', 'https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html', 'https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12', 'https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/']}\n", "HermeticWiper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper', 'https://brandefense.io/hermeticwiper-technical-analysis-report/', 'https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html', 'https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/', 'https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/', 'https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket', 'https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/', 'https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/', 'https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine', 'https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/', 'https://thehackernews.com/2022/02/putin-warns-russian-critical.html', 'https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/', 'https://twitter.com/fr0gger_/status/1497121876870832128', 'https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/', 'https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works', 'https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/', 'https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/', 'https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html', 'https://dgc.org/en/hermeticwiper-malware/', 'https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/', 'https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/', 'https://eln0ty.github.io/malware%20analysis/HermeticWiper/', 'https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/', 'https://www.mandiant.com/resources/information-operations-surrounding-ukraine', 'https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/', 'https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/', 'https://www.englert.one/hermetic-wiper-reverse-code-engineering', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia', 'https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf', 'https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/', 'https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/', 'https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/', 'https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/', 'https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html', 'https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf', 'https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war', 'https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation', 'https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/', 'https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/', 'https://twitter.com/threatintel/status/1496578746014437376', 'https://www.youtube.com/watch?v=sUlW45c9izU', 'https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-057a', 'https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf', 'https://community.riskiq.com/article/9f59cb85', 'https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html', 'https://www.brighttalk.com/webcast/15591/534324'], 'synonyms': ['DriveSlayer', 'FoxBlade', 'KillDisk.NCV', 'NEARMISS']}\n", "HermeticWizard {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard', 'https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://twitter.com/silascutler/status/1501668345640366091', 'https://twitter.com/ET_Labs/status/1502494650640351236', 'https://www.brighttalk.com/webcast/15591/534324']}\n", "HerpesBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes']}\n", "HesperBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot']}\n", "heyoka {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.heyoka', 'https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/']}\n", "HiAsm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hiasm', 'https://fortiguard.fortinet.com/encyclopedia/virus/6488677']}\n", "Hidden Bee {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee', 'https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/', 'https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/', 'https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family', 'https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/', 'https://www.freebuf.com/column/175106.html', 'https://www.freebuf.com/column/174581.html', 'https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/', 'https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/']}\n", "HiddenTear {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear', 'https://twitter.com/struppigel/status/950787783353884672', 'https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/', 'https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/', 'https://github.com/goliate/hidden-tear', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/', 'https://twitter.com/JAMESWT_MHT/status/1264828072001495041', 'https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html', 'https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring'], 'synonyms': ['FuckUnicorn']}\n", "HideDRV {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html']}\n", "HIGHNOON {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://twitter.com/MrDanPerez/status/1159461995013378048', 'https://content.fireeye.com/apt-41/rpt-apt41/', 'https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html']}\n", "HIGHNOON.BIN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon_bin', 'https://content.fireeye.com/apt-41/rpt-apt41/']}\n", "HIGHNOTE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote', 'https://twitter.com/bkMSFT/status/1153994428949749761'], 'synonyms': ['ChyNode']}\n", "HiKit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit', 'https://www.recordedfuture.com/hidden-lynx-analysis/', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware', 'https://attack.mitre.org/groups/G0001/', 'https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf']}\n", "himan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.himan', 'https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf']}\n", "Himera Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader', 'https://twitter.com/James_inthe_box/status/1260191589789392898']}\n", "Hisoka {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hisoka', 'https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/']}\n", "Hive (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hive', 'https://www.connectwise.com/resources/hive-profile', 'https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/', 'https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/', 'https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/', 'https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/', 'https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/', 'https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape', 'https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/', 'https://arxiv.org/pdf/2202.08477.pdf', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://github.com/rivitna/Malware/tree/main/Hive', 'https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware', 'https://www.ic3.gov/Media/News/2021/210825.pdf', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf', 'https://blog.group-ib.com/hive', 'https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/', 'https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html', 'https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf', 'https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/', 'https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html', 'https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group', 'https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive', 'https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/', 'https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/', 'https://www.varonis.com/blog/hive-ransomware-analysis', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098', 'https://unit42.paloaltonetworks.com/emerging-ransomware-groups/', 'https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals', 'https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again']}\n", "Hi-Zor RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat', 'https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat']}\n", "HLUX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux']}\n", "Holcus Installer (Adware) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.holcus', 'https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0']}\n", "homefry {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry', 'https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk']}\n", "HookInjEx {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hookinjex', 'https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/', 'https://twitter.com/CDA/status/1014144988454772736']}\n", "HOPLIGHT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight', 'https://www.us-cert.gov/ncas/analysis-reports/ar19-304a', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.us-cert.gov/ncas/analysis-reports/AR19-100A', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-045g', 'https://www.secureworks.com/research/threat-profiles/nickel-academy', 'https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf', 'https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/', 'https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea'], 'synonyms': ['HANGMAN']}\n", "Hopscotch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch', 'https://www.youtube.com/watch?v=VnzP00DZlx4']}\n", "HorusEyes RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.horuseyes', 'https://github.com/arsium/HorusEyesRat_Public']}\n", "Horus Eyes RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.horus_eyes_rat', 'https://seguranca-informatica.pt/the-clandestine-horus-eyes-rat-from-the-underground-to-criminals-arsenal/']}\n", "HOTCROISSANT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant', 'https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/', 'https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-045d']}\n", "HOTWAX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf', 'https://content.fireeye.com/apt/rpt-apt38', 'https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/', 'https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf']}\n", "Houdini {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini', 'https://cofense.com/houdini-worm-transformed-new-phishing-attack/', 'https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html', 'https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks', 'https://www.youtube.com/watch?v=XDAiS6KBDOs', 'https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/', 'http://blog.morphisec.com/hworm-houdini-aka-njrat', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/', 'https://www.youtube.com/watch?v=h3KLKCdMUUY', 'https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns', 'https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt', 'https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/', 'https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g', 'https://threatpost.com/ta2541-apt-rats-aviation/178422/', 'https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md', 'https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/', 'https://blogs.360.cn/post/APT-C-44.html', 'https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html', 'https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37', 'http://blogs.360.cn/post/analysis-of-apt-c-37.html', 'https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/', 'https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/', 'https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape'], 'synonyms': ['Hworm', 'Jenxcus', 'Kognito', 'Njw0rm', 'WSHRAT', 'dinihou', 'dunihi']}\n", "HtBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot']}\n", "htpRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat', 'https://www.riskiq.com/blog/labs/htprat/']}\n", "HTran {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.htran', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers', 'https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/', 'https://www.secureworks.com/research/threat-profiles/bronze-mayfair', 'https://www.secureworks.com/research/htran', 'https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/', 'https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/', 'https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf'], 'synonyms': ['HUC Packet Transmit Tool']}\n", "HttpBrowser {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser', 'https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/', 'https://attack.mitre.org/groups/G0026'], 'synonyms': ['HttpDump']}\n", "httpdropper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper', 'https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787', 'http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf'], 'synonyms': ['httpdr0pper']}\n", "http_troy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy', 'https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf', 'http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html']}\n", "HUI Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hui_loader', 'https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf']}\n", "Hunter Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter', 'https://twitter.com/3xp0rtblog/status/1324800226381758471']}\n", "Hupigon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hupigon', 'https://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities']}\n", "Hussar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hussar', 'https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/']}\n", "HxDef {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hxdef', 'https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/'], 'synonyms': ['HacDef', 'HackDef', 'HackerDefender']}\n", "HyperBro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt', 'https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf', 'https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia', 'https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf', 'https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/', 'https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx', 'https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf', 'https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/', 'https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10', 'https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html', 'https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/', 'https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/', 'https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html', 'http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/', 'https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia', 'https://securelist.com/luckymouse-hits-national-data-center/86083/', 'https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox', 'https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html', 'https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/', 'https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop', 'https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/']}\n", "HYPERSCRAPE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperscrape', 'https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/']}\n", "HyperSSL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl', 'https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf', 'https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html', 'https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel', 'https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf', 'https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf', 'https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx', 'https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf', 'https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html', 'https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/', 'https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf', 'https://norfolkinfosec.com/emissary-panda-dll-backdoor/'], 'synonyms': ['FOCUSFJORD', 'Soldier', 'Sysupdate']}\n", "IcedID {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid', 'https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/', 'https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f', 'https://twitter.com/felixw3000/status/1521816045769662468', 'https://malwation.com/icedid-malware-technical-analysis-report/', 'https://thedfirreport.com/2021/05/12/conti-ransomware/', 'https://tccontre.blogspot.com/2021/01/', 'https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/', 'https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/', 'https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html', 'https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/', 'https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders', 'https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/', 'https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/', 'https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html', 'https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/', 'https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan', 'https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/', 'https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917', 'https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b', 'https://blog.minerva-labs.com/icedid-maas', 'https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/', 'https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html', 'https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766', 'https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://threatresearch.ext.hp.com/detecting-ta551-domains/', 'https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire', 'https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/', 'https://netresec.com/?b=214d7ff', 'https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html', 'https://blog.group-ib.com/prometheus-tds', 'https://blog.reconinfosec.com/an-encounter-with-ta551-shathak', 'https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.binarydefense.com/icedid-gziploader-analysis/', 'https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/', 'https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html', 'https://isc.sans.edu/diary/28636', 'https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/', 'https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/', 'https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf', 'https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html', 'https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf', 'http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/', 'https://github.com/telekom-security/icedid_analysis', 'https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros', 'https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/', 'https://www.youtube.com/watch?v=wObF9n2UIAM', 'https://unit42.paloaltonetworks.com/atoms/monsterlibra/', 'https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back', 'https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html', 'https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid', 'https://blog.talosintelligence.com/2020/07/valak-emerges.html', 'https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf', 'https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240', 'https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims', 'https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/', 'https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://nikpx.github.io/malware/analysis/2022/03/09/BokBot', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.youtube.com/watch?v=oZ4bwnjcXWg', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/', 'https://www.youtube.com/watch?v=YEqLIR6hfOM', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx', 'https://www.youtube.com/watch?v=wMXD4Sv1Alw', 'https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware', 'https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf', 'https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/', 'https://www.youtube.com/watch?v=7Dk7NkIbVqY', 'https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/', 'https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware', 'https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html', 'https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike', 'https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/', 'https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884', 'https://intel471.com/blog/conti-emotet-ransomware-conti-leaks', 'https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/', 'https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/', 'https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://eln0ty.github.io/malware%20analysis/IcedID/', 'https://www.group-ib.com/blog/icedid', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html', 'https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html', 'https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/', 'https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/', 'https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/', 'https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/', 'https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx', 'https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/', 'https://ceriumnetworks.com/threat-of-the-month-icedid-malware/', 'https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/', 'https://www.ironnet.com/blog/ransomware-graphic-blog', 'https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/', 'https://thedfirreport.com/2022/04/25/quantum-ransomware/', 'https://www.silentpush.com/blog/icedid-command-and-control-infrastructure', 'https://forensicitguy.github.io/analyzing-icedid-document/', 'https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/', 'https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/', 'https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships', 'https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html', 'https://github.com/f0wl/deICEr', 'https://cert.gov.ua/article/39609', 'https://www.secureworks.com/research/threat-profiles/gold-swathmore', 'https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2', 'https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise', 'https://www.silentpush.com/blog/malicious-infrastructure-as-a-service', 'https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/', 'https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/', 'https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/', 'https://unit42.paloaltonetworks.com/ta551-shathak-icedid/', 'https://isc.sans.edu/diary/rss/28934', 'https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/', 'https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes'], 'synonyms': ['BokBot', 'IceID']}\n", "IcedID Downloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader', 'http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/', 'https://threatray.com/blog/a-new-icedid-gziploader-variant/', 'https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/']}\n", "Icefog {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt', 'http://www.kz-cert.kz/page/502', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf'], 'synonyms': ['Fucobha']}\n", "win.icexloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.icexloader', 'https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim']}\n", "Ice IX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix', 'https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/', 'https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus', 'https://securelist.com/ice-ix-not-cool-at-all/29111/']}\n", "IconDown {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown', 'https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html']}\n", "IcyHeart {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart'], 'synonyms': ['Troxen']}\n", "IDKEY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey', 'https://isc.sans.edu/diary/22766']}\n", "IISniff {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf', 'https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf']}\n", "IISpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.iispy', 'https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/'], 'synonyms': ['BadIIS']}\n", "Imecab {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab', 'https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east']}\n", "Imminent Monitor RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat', 'https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html', 'https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/', 'https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/', 'https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america', 'https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.secureworks.com/research/threat-profiles/cobalt-trinity', 'https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/', 'https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt']}\n", " Immortal Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.immortal_stealer', 'https://www.zscaler.com/blogs/research/immortal-information-stealer']}\n", "Incubator {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.incubator', 'https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf', 'https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/']}\n", "IndigoDrop {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.indigodrop', 'https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html']}\n", "Industrial Spy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy', 'https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware']}\n", "Industroyer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer', 'https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/', 'https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf', 'https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/', 'https://dragos.com/blog/crashoverride/CrashOverride-01.pdf', 'https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/', 'https://en.wikipedia.org/wiki/Industroyer', 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games', 'https://cert.gov.ua/article/39518', 'https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/', 'https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/', 'https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf', 'https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/', 'https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf', 'https://www.secureworks.com/research/threat-profiles/iron-viking', 'https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf'], 'synonyms': ['Crash', 'CrashOverride']}\n", "INDUSTROYER2 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2', 'https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis', 'https://blog.scadafence.com/industroyer2-attack', 'https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works', 'https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/', 'https://pylos.co/2022/04/23/industroyer2-in-perspective/', 'https://cert.gov.ua/article/39518', 'https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd', 'https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/', 'https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure', 'https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/', 'https://twitter.com/silascutler/status/1513870210398363651', 'https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/', 'https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf']}\n", "Inferno {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.inferno', 'https://github.com/LimerBoy/Inferno']}\n", "InfoDot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.infodot', 'https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html']}\n", "Infy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.infy', 'https://research.checkpoint.com/2021/after-lightning-comes-thunder/', 'https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf', 'https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/', 'https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/', 'https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv', 'http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/', 'https://www.intezer.com/prince-of-persia-the-sands-of-foudre/', 'http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/', 'https://cloud.tencent.com/developer/article/1738806'], 'synonyms': ['Foudre']}\n", "InnaputRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat', 'https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/']}\n", "win.innfirat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.innfirat', 'https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more']}\n", "Interception {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.interception', 'https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf']}\n", "InvisiMole {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole', 'https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/', 'https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/', 'https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf', 'https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/']}\n", "Ironcat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ironcat', 'https://aaronrosenmund.com/blog/2020/09/26/ironcat-ransmoware/', 'https://twitter.com/demonslay335/status/1308827693312548864']}\n", "IRONHALO {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://www.symantec.com/security-center/writeup/2015-122210-5128-99', 'https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html', 'https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html']}\n", "IsaacWiper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper', 'https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html', 'https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine', 'https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works', 'https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/', 'https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/', 'https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/', 'https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/', 'https://twitter.com/ESETresearch/status/1521910890072842240', 'https://experience.mandiant.com/trending-evil-2/p/1', 'https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf', 'https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/', 'https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/', 'https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/', 'https://www.brighttalk.com/webcast/15591/534324'], 'synonyms': ['LASAINRAW']}\n", "ISFB {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html', 'https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware', 'https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0', 'https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/', 'https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/', 'https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489', 'https://threatresearch.ext.hp.com/detecting-ta551-domains/', 'https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/', 'https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/', 'https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html', 'https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/', 'https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/', 'https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/', 'https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy', 'https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization', 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware', 'https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/', 'https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html', 'https://redcanary.com/resources/webinars/deep-dive-process-injection/', 'https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/', 'https://www.youtube.com/watch?v=KvOpNznu_3w', 'https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/', 'https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html', 'https://www.tgsoft.it/files/report/download.asp?id=568531345', 'https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them', 'https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass', 'https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/', 'https://blog.talosintelligence.com/2020/07/valak-emerges.html', 'https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/', 'https://www.tgsoft.it/files/report/download.asp?id=7481257469', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf', 'https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks', 'https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/', 'http://benkow.cc/DreambotSAS19.pdf', 'https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/', 'https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html', 'https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware', 'https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html', 'https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/', 'https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex', 'https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/', 'https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work', 'https://lokalhost.pl/gozi_tree.txt', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/', 'https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/', 'https://blog.group-ib.com/gozi-latest-ttps', 'https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245', 'https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much', 'https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/', 'https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/', 'https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/', 'https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/', 'https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/', 'https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/', 'https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf', 'https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/', 'https://www.youtube.com/watch?v=jlc7Ahp8Iqg', 'https://blog.yoroi.company/research/ursnif-long-live-the-steganography/', 'https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html', 'https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15', 'https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/', 'https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf', 'https://www.cyberbit.com/new-ursnif-malware-variant/', 'https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update', 'https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware', 'https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb', 'https://github.com/mlodic/ursnif_beacon_decryptor', 'https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['Gozi ISFB', 'IAP', 'Pandemyia']}\n", "ISMAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent', 'https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/', 'https://unit42.paloaltonetworks.com/atoms/evasive-serpens/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae', 'http://www.clearskysec.com/ismagent/']}\n", "ISMDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor', 'https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon', 'http://www.clearskysec.com/greenbug/', 'https://unit42.paloaltonetworks.com/atoms/evasive-serpens/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia', 'https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon']}\n", "iSpy Keylogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger', 'https://www.zscaler.com/blogs/research/ispy-keylogger', 'https://www.secureworks.com/research/threat-profiles/gold-skyline']}\n", "IsraBye {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://twitter.com/malwrhunterteam/status/1085162243795369984']}\n", "ISR Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer', 'https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/']}\n", "IsSpace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace', 'https://www.secureworks.com/research/threat-profiles/bronze-express', 'https://www.secureworks.com/research/threat-profiles/bronze-overbrook', 'http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf', 'https://unit42.paloaltonetworks.com/atoms/shallowtaurus/', 'http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/', 'https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf', 'https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/'], 'synonyms': ['NfLog RAT']}\n", "IXWare {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ixware', 'https://fr3d.hk/blog/ixware-kids-will-be-skids']}\n", "JackPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos']}\n", "Jaff {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff', 'http://malware-traffic-analysis.net/2017/05/16/index.html', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart']}\n", "Jager Decryptor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor']}\n", "Jaku {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku', 'https://securelist.com/whos-really-spreading-through-the-bright-star/68978/', 'https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf', 'https://www.brighttalk.com/webcast/7451/538775', 'https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146'], 'synonyms': ['C3PRO-RACOON', 'EQUINOX', 'KCNA Infostealer', 'Reconcyc']}\n", "Janeleiro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.janeleiro', 'https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf', 'https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/']}\n", "jason {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jason', 'https://twitter.com/P3pperP0tts/status/1135503765287657472', 'https://marcoramilli.com/2019/06/06/apt34-jason-project/', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf']}\n", "Jasus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "JCry {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry', 'https://twitter.com/IdoNaor1/status/1101936940297924608', 'https://twitter.com/0xffff0800/status/1102078898320302080']}\n", "Jeno {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jeno', 'https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html'], 'synonyms': ['Jest', 'Valeria']}\n", "JhoneRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat', 'https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/', 'https://blog.talosintelligence.com/2020/01/jhonerat.html', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf']}\n", "Jigsaw {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw']}\n", "Jimmy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy', 'https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/']}\n", "Joanap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware', 'https://www.us-cert.gov/ncas/alerts/TA18-149A', 'https://www.us-cert.gov/ncas/analysis-reports/AR18-149A', 'https://www.secureworks.com/research/threat-profiles/nickel-academy', 'https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4']}\n", "Joao {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.joao', 'https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/']}\n", "win.JobCrypter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jobcrypter', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots']}\n", "Jolob {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob', 'http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html']}\n", "JQJSNICKER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker', 'http://marcmaiffret.com/vault7/']}\n", "JripBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf', 'https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/']}\n", "JSOutProx {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox', 'https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/', 'https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat', 'https://twitter.com/zlab_team/status/1208022180241530882', 'https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/', 'https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese', 'https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/', 'https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf']}\n", "JSSLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader', 'https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded', 'https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition', 'https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf', 'https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html', 'https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/', 'https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/', 'https://www.mandiant.com/resources/evolution-of-fin7', 'https://blog.morphisec.com/vmware-identity-manager-attack-backdoor', 'https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware']}\n", "JuicyPotato {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato', 'https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf', 'https://github.com/ohpe/juicy-potato', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf', 'https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/', 'https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/']}\n", "JUMPALL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.jumpall', 'https://content.fireeye.com/apt-41/rpt-apt41/']}\n", "KAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "Karagany {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany', 'https://vblocalhost.com/uploads/VB2021-Slowik.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf', 'https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector', 'https://www.secureworks.com/research/threat-profiles/iron-liberty', 'https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group'], 'synonyms': ['Karagny']}\n", "Kardon Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader', 'https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab', 'https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/']}\n", "Karius {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.karius', 'https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest', 'https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/', 'https://research.checkpoint.com/banking-trojans-development/']}\n", "Karkoff {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff', 'https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html', 'https://www.secureworks.com/research/threat-profiles/cobalt-edgewater', 'https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/', 'https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ', 'https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae'], 'synonyms': ['CACTUSPIPE', 'MailDropper']}\n", "Karma {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.karma', 'https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728', 'https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/', 'https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/', 'https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware', 'https://www.youtube.com/watch?v=hgz5gZB3DxE', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "KasperAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent', 'https://www.threatconnect.com/blog/kasperagent-malware-campaign/', 'http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/']}\n", "Kazuar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar', 'http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://www.epicturla.com/blog/sysinturla', 'https://youtu.be/SW8kVkwDOrc?t=24706', 'https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity', 'https://securelist.com/sunburst-backdoor-kazuar/99981/', 'https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection']}\n", "KazyLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kazyloader', 'https://twitter.com/struppigel/status/1501105224819392516']}\n", "KDC Sponge {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge', 'https://us-cert.cisa.gov/ncas/alerts/aa21-336a']}\n", "Kegotip {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/']}\n", "KEKW {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kekw', 'https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html'], 'synonyms': ['KEKW-Locker']}\n", "Kelihos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos', 'https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf', 'https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/', 'https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/', 'https://en.wikipedia.org/wiki/Kelihos_botnet', 'https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet', 'https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/', 'https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/', 'https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/', 'https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/']}\n", "Keona {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.keona', 'https://twitter.com/3xp0rtblog/status/1536704209760010241']}\n", "KerrDown {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown', 'https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/', 'https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7', 'https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf', 'https://blog.cystack.net/word-based-malware-attack/', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf', 'https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/', 'https://www.secureworks.com/research/threat-profiles/tin-woodlawn', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam']}\n", "Ketrican {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf', 'https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/', 'https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/']}\n", "Ketrum {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum', 'https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/']}\n", "KeyBase {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase', 'https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/', 'https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html', 'https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/', 'https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/', 'https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017', 'https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/', 'https://voidsec.com/keybase-en/'], 'synonyms': ['Kibex']}\n", "KeyBoy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy', 'https://www.secureworks.com/research/threat-profiles/bronze-hobart', 'https://citizenlab.ca/2016/11/parliament-keyboy/', 'https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/', 'https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html'], 'synonyms': ['TSSL']}\n", "APT3 Keylogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3', 'https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/', 'https://twitter.com/smoothimpact/status/773631684038107136', 'http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong']}\n", "KEYMARBLE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.us-cert.gov/ncas/analysis-reports/AR18-221A', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://research.checkpoint.com/north-korea-turns-against-russian-targets/']}\n", "KGH_SPY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy', 'https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw', 'https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite']}\n", "Khonsari {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.khonsari', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks', 'https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/', 'https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://cloudsek.com/technical-analysis-of-khonsari-ransomware-campaign-exploiting-the-log4shell-vulnerability/']}\n", "KHRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat', 'https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/', 'https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/', 'https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor', 'https://unit42.paloaltonetworks.com/atoms/rancortaurus/']}\n", "Kikothac {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac', 'https://www.group-ib.com/resources/threat-research/silence.html']}\n", "KillAV {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.killav', 'https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/', 'https://cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/']}\n", "KillDisk {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk', 'http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks', 'https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt', 'https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/', 'http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/', 'https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://attack.mitre.org/groups/G0034', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/', 'https://www.secureworks.com/research/threat-profiles/iron-viking']}\n", "KilllSomeOne {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.killsomeone', 'https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/']}\n", "KimJongRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kimjongrat', 'https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F']}\n", "Kimsuky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', \"https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware\", 'https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure', 'https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf', 'https://blog.prevailion.com/2019/09/autumn-aperture-report.html', 'https://asec.ahnlab.com/en/37396/', 'https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/', 'https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/', 'https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf', 'https://blog.alyac.co.kr/2347', 'https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html', 'https://asec.ahnlab.com/en/30532/']}\n", "Kingminer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer', 'https://news.sophos.com/en-us/2020/06/09/kingminer-report/', 'https://asec.ahnlab.com/en/32572/', 'https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf', 'https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf', 'https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html']}\n", "KINS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kins', 'https://github.com/nyx0/KINS', 'https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/', 'https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html', 'https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/'], 'synonyms': ['Kasper Internet Non-Security', 'Maple']}\n", "KIVARS (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars', 'https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt', 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/']}\n", "Klackring {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.klackring', 'https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/']}\n", "KleptoParasite Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer'], 'synonyms': ['Joglog', 'Parasite']}\n", "KlingonRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.klingon_rat', 'https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/']}\n", "KLRD {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd', 'https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks', 'https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html']}\n", "Knot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.knot', 'https://twitter.com/malwrhunterteam/status/1345313324825780226']}\n", "Koadic {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic', 'https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf', 'https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf', 'https://www.secureworks.com/research/threat-profiles/cobalt-ulster', 'https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/', 'https://www.secureworks.com/research/threat-profiles/gold-drake', 'https://blog.tofile.dev/2020/11/28/koadic_jarm.html', 'https://www.secureworks.com/research/threat-profiles/cobalt-trinity', 'http://www.secureworks.com/research/threat-profiles/cobalt-ulster', 'https://github.com/zerosum0x0/koadic', 'http://www.secureworks.com/research/threat-profiles/gold-drake', 'https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter', 'https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf']}\n", "KokoKrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt', 'https://twitter.com/struppigel/status/812726545173401600']}\n", "KOMPROGO {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo', 'https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf', 'https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx', 'https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html', 'https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99'], 'synonyms': ['Splinter RAT']}\n", "Konni {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.konni', 'https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b', 'https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/', 'https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/', 'https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/', 'https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/', 'http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html', 'https://blog.alyac.co.kr/2474', 'http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html', 'https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant', 'https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf', 'https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/', 'https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/', 'https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf', 'https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/', 'https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/', 'https://us-cert.cisa.gov/ncas/alerts/aa20-227a']}\n", "KoobFace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf']}\n", "Korlia {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia', 'http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit', 'https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment', 'https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf', 'https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/', 'https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/', 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/', 'https://securitykitten.github.io/2014/11/25/curious-korlia.html', 'https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf', 'https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/', 'https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf', 'https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html', 'https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md', 'https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf', 'https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf', 'https://asec.ahnlab.com/1298', 'https://www.secureworks.com/research/threat-profiles/bronze-huntley', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://www.youtube.com/watch?v=_fstHQSK-kk'], 'synonyms': ['Bisonal']}\n", "Kovter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://0xchrollo.github.io/articles/unpacking-kovter-malware/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/', 'https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md', 'https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update', 'https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf', 'https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/', 'https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless']}\n", "KPOT Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://isc.sans.edu/diary/26010', 'https://news.drweb.com/show/?i=13242&lng=en', 'https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/', 'https://isc.sans.edu/diary/25934', 'https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware', 'https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/', 'https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal', 'https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/', 'https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md'], 'synonyms': ['Khalesi', 'Kpot']}\n", "Krachulka {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.krachulka', 'https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/']}\n", "Kraken {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://www.recordedfuture.com/kraken-cryptor-ransomware/', 'https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/', 'https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/']}\n", "KrBanker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker', 'https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html', 'https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/', 'http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/', 'https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan'], 'synonyms': ['BlackMoon']}\n", "KrDownloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader']}\n", "Kronos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos', 'https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/', 'https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses', 'https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/', 'https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/', 'https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html', 'https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf', 'https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/', 'https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan', 'https://twitter.com/3xp0rtblog/status/1294157781415743488', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware', 'https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack', 'https://intel471.com/blog/privateloader-malware', 'https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/', 'https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html', 'https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/', 'https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/', 'https://www.proofpoint.com/us/threat-insight/post/kronos-reborn'], 'synonyms': ['Osiris']}\n", "KryptoCibule {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kryptocibule', 'https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/']}\n", "KSL0T {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t', 'https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/', 'https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/', 'https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/']}\n", "Kuaibu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8'], 'synonyms': ['Barys', 'Gofot', 'Kuaibpy']}\n", "Kuluoz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz']}\n", "Kurton {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "Kutaki {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki', 'https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/']}\n", "Kwampirs {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs', 'https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf', 'https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia', 'https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts', 'https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat', 'https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf', 'http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html', 'https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/', 'https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/', 'https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html']}\n", "LALALA Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lalala_stealer', 'https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/', 'https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html', 'https://twitter.com/luc4m/status/1276477397102145538', 'https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/']}\n", "Lambert (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert', 'https://www.youtube.com/watch?v=jeLd-gw2bWo', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7', 'https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://twitter.com/_CPResearch_/status/1484502090068242433', 'https://ti.qianxin.com/blog/articles/network-weapons-of-cia/'], 'synonyms': ['Plexor']}\n", "Lamdelin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin', 'http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/']}\n", "LatentBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot', 'https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/', 'http://malware-traffic-analysis.net/2017/04/25/index.html', 'https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html', 'https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/', 'https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access']}\n", "Laturo Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo', 'https://seclists.org/snort/2019/q3/343']}\n", "Laziok {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok', 'https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector', 'https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802', 'https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken']}\n", "LazyCat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat', 'https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/', 'https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/']}\n", "LCPDot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot', 'https://securelist.com/lazarus-trojanized-defi-app/106195/', 'https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html', 'https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf', 'https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/']}\n", "Leakthemall {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.leakthemall', 'https://id-ransomware.blogspot.com/2020/09/leakthemall-ransomware.html']}\n", "Leash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.leash', 'https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/']}\n", "Lemon Duck {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck', 'https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/', 'https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html', 'https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728', 'https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/', 'https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf', 'https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/', 'https://cybotsai.com/lemon-duck-attack/', 'https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/', 'https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html', 'https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/', 'https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/', 'https://success.trendmicro.com/solution/000261916', 'https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html', 'https://asec.ahnlab.com/en/31811/']}\n", "Leouncia {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia', 'https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html', 'https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html'], 'synonyms': ['shoco']}\n", "Lethic {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic', 'http://www.malware-traffic-analysis.net/2017/11/02/index.html', 'http://resources.infosecinstitute.com/win32lethic-botnet-analysis/', 'http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html']}\n", "LetMeOut {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.letmeout', 'http://blog.nsfocus.net/murenshark/']}\n", "Liderc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf', 'https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html', 'https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/', 'https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media'], 'synonyms': ['LEMPO']}\n", "LightNeuron {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron', 'https://securelist.com/apt-trends-report-q2-2018/86487/', 'https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/', 'https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments', 'https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'], 'synonyms': ['NETTRANS', 'XTRANS']}\n", "Lightning Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lightning_stealer', 'https://blog.cyble.com/2022/04/05/inside-lightning-stealer/']}\n", "Ligsterac {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ligsterac', 'http://atm.cybercrime-tracker.net/index.php', 'https://securelist.com/atm-infector/74772/']}\n", "Lilith {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith', 'https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388', 'https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/', 'https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/', 'https://github.com/werkamsus/Lilith', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf']}\n", "limedownloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.limedownloader', 'https://github.com/NYAN-x-CAT/Lime-Downloader']}\n", "limeminer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.limeminer', 'https://github.com/NYAN-x-CAT/Lime-Miner']}\n", "LimeRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat', 'https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html', 'https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns', 'https://github.com/NYAN-x-CAT/Lime-RAT/', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html', 'https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://lab52.io/blog/apt-c-36-recent-activity-analysis/', 'https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html', 'https://blog.reversinglabs.com/blog/rats-in-the-library', 'https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html', 'https://www.youtube.com/watch?v=x-g-ZLeX8GM', 'https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://blog.yoroi.company/research/limerat-spreads-in-the-wild/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt']}\n", "Limitail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail']}\n", "LinseningSvr {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr', 'https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators']}\n", "Listrix {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks', 'https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group']}\n", "LiteDuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke', 'https://norfolkinfosec.com/looking-back-at-liteduke/', 'https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/']}\n", "LiteHTTP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp', 'https://viriback.com/recent-litehttp-activities-and-iocs/', 'https://github.com/zettabithf/LiteHTTP', 'https://malware.news/t/recent-litehttp-activities-and-iocs/21053']}\n", "LockBit (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit', 'https://www.ic3.gov/Media/News/2022/220204.pdf', 'https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/', 'https://www.netskope.com/blog/netskope-threat-coverage-lockbit', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/', 'https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/', 'https://id-ransomware.blogspot.com/search?q=lockbit', 'https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a', 'https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/', 'https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/', 'https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor', 'https://www.intrinsec.com/alphv-ransomware-gang-analysis', 'https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html', 'https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit', 'https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/', 'https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354', 'https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf', 'https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/', 'https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/', 'https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf', 'https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques', 'https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments', 'https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/', 'https://www.connectwise.com/resources/lockbit-profile', 'https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion', 'https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf', 'https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.youtube.com/watch?v=C733AyPzkoc', 'https://unit42.paloaltonetworks.com/emerging-ransomware-groups/', 'https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom', 'https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/', 'https://blog.lexfo.fr/lockbit-malware.html', 'https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/', 'https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/', 'https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/', 'https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md', 'https://ke-la.com/lockbit-2-0-interview-with-russian-osint/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers', 'https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1', 'https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511', 'https://www.glimps.fr/lockbit3-0/', 'https://redcanary.com/blog/intelligence-insights-november-2021/', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/', 'https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware', 'https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html', 'https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/', 'https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness', 'https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool', 'https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/', 'https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility', 'https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511', 'https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/', 'https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/', 'https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/', 'https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html', 'https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/', 'https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/', 'https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/', 'https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants', 'https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html', 'https://unit42.paloaltonetworks.com/lockbit-2-ransomware/', 'https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel', 'https://securelist.com/new-ransomware-trends-in-2022/106457/', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1', 'https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/', 'https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf', 'https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/', 'https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/', 'https://twitter.com/MsftSecIntel/status/1522690116979855360', 'https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/', 'https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/', 'https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/', 'https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022', 'https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://asec.ahnlab.com/en/35822/', 'https://intel471.com/blog/privateloader-malware', 'https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker', 'https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/', 'https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf'], 'synonyms': ['ABCD Ransomware']}\n", "LockerGoga {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga', 'https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202', 'https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure', 'https://www.youtube.com/watch?v=o6eEN0mUakM', 'https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880', 'https://content.fireeye.com/m-trends/rpt-m-trends-2020', 'https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/', 'https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/', 'https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot', 'https://www.abuse.io/lockergoga.txt', 'https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/', 'https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html', 'https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes']}\n", "LockFile {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile', 'https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/', 'https://twitter.com/VirITeXplorer/status/1428750497872232459', 'https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows', 'https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/', 'https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/', 'https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/', 'https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html', 'https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "Locky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.locky', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/', 'https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html', 'https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/', 'https://vixra.org/pdf/2002.0183v1.pdf', 'https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/', 'http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html', 'https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/', 'https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/', 'https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html', 'https://dissectingmalwa.re/picking-locky.html']}\n", "Locky (Decryptor) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor']}\n", "Locky Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader']}\n", "LockPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos', 'https://www.cyberbit.com/new-lockpos-malware-injection-technique/', 'https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html', 'https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/']}\n", "Loda {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.loda', 'https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html', 'https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/', 'https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware', 'https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel', 'https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html', 'https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html', 'https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered', 'https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA'], 'synonyms': ['LodaRAT', 'Nymeria']}\n", "LODEINFO {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html', 'https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html', 'https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf', 'https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html', 'https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf', 'https://twitter.com/jpcert_ac/status/1351355443730255872', 'https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html']}\n", "Logedrut {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut', 'https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/']}\n", "LogPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-11-16-logpos-new-point-of-sale-malware-using-mailslots.md', 'https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html']}\n", "Logtu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.logtu', 'https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/', 'https://news.drweb.ru/show/?i=14177', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf']}\n", "LoJax {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax', 'https://www.youtube.com/watch?v=VeoXT0nEcFU', 'https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/', 'https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government', 'https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://habr.com/ru/amp/post/668154/']}\n", "LokiLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lokilocker', 'https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/', 'https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware', 'https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/']}\n", "Loki Password Stealer (PWS) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws', 'http://reversing.fun/reversing/2021/06/08/lokibot.html', 'https://github.com/R3MRUM/loki-parse', 'https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads', 'https://isc.sans.edu/diary/27282', 'http://www.malware-traffic-analysis.net/2017/06/12/index.html', 'https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/', 'https://phishme.com/loki-bot-malware/', 'http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html', 'https://www.lastline.com/blog/password-stealing-malware-loki-bot/', 'https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf', 'https://securelist.com/loki-bot-stealing-corporate-passwords/87595/', 'https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.atomicmatryoshka.com/post/malware-headliners-lokibot', 'https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/', 'https://news.sophos.com/en-us/2020/05/14/raticate/', 'https://www.youtube.com/watch?v=-FxyzuRv6Wg', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html', 'https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations', 'https://www.youtube.com/watch?v=N0wAh26wShE', 'https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html', 'http://reversing.fun/posts/2021/06/08/lokibot.html', 'https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter', 'https://www.lac.co.jp/lacwatch/report/20220307_002893.html', 'https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850', 'https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/', 'https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html', 'https://isc.sans.edu/diary/24372', 'https://www.youtube.com/watch?v=K3Yxu_9OUxU', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/', 'https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2', 'https://lab52.io/blog/a-twisted-malware-infection-chain/', 'https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf', 'https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/', 'https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/', 'https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/', 'https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/', 'https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file', 'https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/', 'https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/', 'https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/', 'https://ivanvza.github.io/posts/lokibot_analysis'], 'synonyms': ['Burkina', 'Loki', 'LokiBot', 'LokiPWS']}\n", "Lokorrito {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lokorrito', 'https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/']}\n", "LOLSnif {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif', 'https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63', 'https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/', 'https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/', 'https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/', 'https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062']}\n", "LONGWATCH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch', 'https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae']}\n", "looChiper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper', 'https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/', 'https://github.com/ZLab-Cybaze-Yoroi/LooCipher_Decryption_Tool', 'https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html', 'https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/']}\n", "Lookback {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback', 'https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/', 'https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new', 'https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/', 'https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://nao-sec.org/2021/01/royal-road-redive.html', 'https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks', 'https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals', 'https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf']}\n", "L0rdix {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix', 'https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py', 'https://twitter.com/hexlax/status/1058356670835908610', 'https://www.bromium.com/decrypting-l0rdix-rats-c2/', 'https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/', 'https://blog.ensilo.com/l0rdix-attack-tool'], 'synonyms': ['lordix']}\n", "Lorenz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz', 'https://therecord.media/free-decrypter-available-for-lorenz-ransomware/', 'https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/', 'https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20', 'https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/', 'https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/', 'https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/', 'https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware']}\n", "Loup {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.loup', 'https://twitter.com/r3c0nst/status/1295275546780327936', 'https://twitter.com/Arkbird_SOLG/status/1295396936896438272']}\n", "LOWBALL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball', 'https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html', 'https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/']}\n", "LOWKEY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey', 'https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html', 'https://www.mandiant.com/resources/apt41-us-state-governments', 'https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf', 'https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/'], 'synonyms': ['PortReuse']}\n", "lsassDumper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lsassdumper', 'https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/', 'https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf']}\n", "Luca Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer', 'https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets']}\n", "Lucifer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lucifer', 'https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/', 'https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/']}\n", "Luminosity RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat', 'https://www.secureworks.com/research/threat-profiles/copper-fieldstone', 'https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/', 'https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/', 'https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/', 'https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/', 'http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html', 'https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark', 'https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf'], 'synonyms': ['LuminosityLink']}\n", "Lumma Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma', 'https://twitter.com/fumik0_/status/1559474920152875008']}\n", "LunchMoney {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney', 'https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html', 'https://twitter.com/MrDanPerez/status/1097881406661902337']}\n", "Lurk {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk', 'https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader']}\n", "Luzo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo']}\n", "Lyceum .NET DNS Backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_dns_backdoor_dotnet', 'https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/', 'https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor']}\n", "Lyceum .NET TCP Backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_dotnet', 'https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/']}\n", "Lyceum Golang HTTP Backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_golang', 'https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/']}\n", "Lyposit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit', 'https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/', 'http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html', 'http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html'], 'synonyms': ['Adneukine', 'Bomba Locker', 'Lucky Locker']}\n", "M00nD3V Logger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.m00nd3v', 'https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger']}\n", "m0yv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv', 'https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/', 'https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html', 'https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py']}\n", "Macaw {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.macaw', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions']}\n", "Machete {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.machete', 'https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6', 'https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html', 'https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html', 'https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america', 'https://securelist.com/el-machete/66108/', 'https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf', 'https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/'], 'synonyms': ['El Machete']}\n", "MadMax {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax']}\n", "Magala {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.magala', 'https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/']}\n", "MagicRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat', 'https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html']}\n", "Magniber {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber', 'https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/', 'https://www.youtube.com/watch?v=lqWJaaofNf4', 'https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/', 'https://asec.ahnlab.com/en/19273/', 'https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/', 'https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/', 'https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372', 'http://asec.ahnlab.com/1124', 'https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/', 'https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware', 'https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/', 'https://asec.ahnlab.com/en/30645/', 'https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/', 'https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/', 'https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/']}\n", "Mailto {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto', 'https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/', 'https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million', 'https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/', 'https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers', 'https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/', 'https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf', 'https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html', 'https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/', 'https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/', 'https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://www.justice.gov/usao-mdfl/press-release/file/1360846/download', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://zero2auto.com/2020/05/19/netwalker-re/', 'https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf', 'https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/', 'https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/', 'https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware', 'https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/', 'https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware', 'https://www.youtube.com/watch?v=q8of74upT_g', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/', 'https://www.ic3.gov/media/news/2020/200929-2.pdf', 'https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf', 'https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://lopqto.me/posts/automated-dynamic-import-resolving', 'https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/', 'https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/', 'https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/', 'https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/', 'https://zengo.com/bitcoin-ransomware-detective-ucsf/', 'https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html'], 'synonyms': ['Koko Ransomware', 'NetWalker']}\n", "Mail-O {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o', 'https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/', 'https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/', 'https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf', 'https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op', 'https://blog.group-ib.com/task']}\n", "MajikPos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos', 'https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos', 'http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/']}\n", "Makadocs {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs', 'http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html', 'https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs', 'https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/']}\n", "MakLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader', 'https://twitter.com/James_inthe_box/status/1046844087469391872']}\n", "Makop Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware', 'https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf', 'https://twitter.com/siri_urz/status/1221797493849018368', 'https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/']}\n", "Maktub {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub', 'https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/', 'https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/', 'https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html']}\n", "MalumPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos', 'http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf']}\n", "Mamba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba', 'http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/', 'https://www.ic3.gov/Media/News/2021/210323.pdf', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://securelist.com/the-return-of-mamba-ransomware/79403/'], 'synonyms': ['DiskCryptor', 'HDDCryptor']}\n", "ManameCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt', 'https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/', 'https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route'], 'synonyms': ['CryptoHost']}\n", "Mangzamel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel', 'https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2', 'https://www.youtube.com/watch?v=NFJqD-LcpIg', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf'], 'synonyms': ['junidor', 'mengkite', 'vedratve']}\n", "Manifestus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware', 'https://twitter.com/struppigel/status/811587154983981056']}\n", "ManItsMe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "Manjusaka (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka', 'https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html', 'https://github.com/avast/ioc/tree/master/Manjusaka']}\n", "Maoloa {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa', 'https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html']}\n", "MAPIget {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "Marap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.marap', 'https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf']}\n", "Mariposa {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa', 'https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/', 'https://www.us-cert.gov/ics/advisories/ICSA-10-090-01', 'https://defintel.com/docs/Mariposa_Analysis.pdf'], 'synonyms': ['Autorun', 'Palevo', 'Rimecud']}\n", "MarkiRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.markirat', 'https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/']}\n", "Mars {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mars', 'https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html'], 'synonyms': ['MarsDecrypt']}\n", "Mars Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer', 'https://x-junior.github.io/malware%20analysis/MarsStealer/', 'https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/', 'https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://cert.gov.ua/article/38606', 'https://3xp0rt.com/posts/mars-stealer', 'https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer', 'https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/', 'https://cyberint.com/blog/research/mars-stealer/', 'https://isc.sans.edu/diary/rss/28468', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer', 'https://blog.morphisec.com/threat-research-mars-stealer', 'https://blog.sekoia.io/mars-a-red-hot-information-stealer/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://resources.infosecinstitute.com/topic/mars-stealer-malware-analysis/', 'https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/']}\n", "Masad Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.masad_stealer', 'https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram']}\n", "MASS Logger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger', 'https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger', 'https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html', 'https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/', 'https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7', 'https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/', 'https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html', 'https://twitter.com/pancak3lullz/status/1255893734241304576', 'https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html', 'https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/', 'https://fr3d.hk/blog/masslogger-frankenstein-s-creation']}\n", "Matanbuchus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus', 'https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/', 'https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html', 'https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a', 'https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/', 'https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/', 'https://isc.sans.edu/diary/rss/28752', 'https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/']}\n", "Matiex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.matiex', 'https://labs.k7computing.com/index.php/matiex-on-sale-underground/']}\n", "Matrix Banker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker', 'https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/']}\n", "Matrix Ransom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom', 'https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf', 'https://unit42.paloaltonetworks.com/matrix-ransomware/', 'https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware', 'https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf']}\n", "Matryoshka RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat', 'https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf', 'http://www.clearskysec.com/tulip/']}\n", "Matsnu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu', 'https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf']}\n", "Maudi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf', 'https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html']}\n", "Maui Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.maui', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-187a', 'https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/', 'https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf', 'https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf']}\n", "Maxtrilha {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.maxtrilha', 'https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/#.YT3_VfwzaKN']}\n", "Maze {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.maze', 'https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/', 'https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/', 'https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md', 'https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html', 'https://www.secureworks.com/research/threat-profiles/gold-village', 'https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/', 'https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/', 'https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update', 'https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/', 'https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html', 'https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer', 'https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf', 'https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/', 'https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/', 'https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/', 'https://securelist.com/targeted-ransomware-encrypting-data/99255/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf', 'https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/', 'https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html', 'https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf', 'https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/', 'https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/', 'https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/', 'https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1', 'https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/', 'https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://adversary.crowdstrike.com/adversary/twisted-spider/', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/', 'https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html', 'https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html', 'https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot', 'https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/', 'https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://twitter.com/certbund/status/1192756294307995655', 'https://oag.ca.gov/system/files/Letter%204.pdf', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf', 'https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/', 'http://www.secureworks.com/research/threat-profiles/gold-village', 'https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel', 'https://www.docdroid.net/dUpPY5s/maze.pdf', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://securelist.com/maze-ransomware/99137/', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/', 'https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md', 'https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/', 'https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/', 'https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat', 'https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/', 'https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide', 'https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/', 'https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/', 'https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/', 'https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/', 'https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/', 'https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/', 'https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker', 'https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/', 'https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/', 'https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us', 'https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/'], 'synonyms': ['ChaCha']}\n", "MBRlock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock', 'http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html', 'https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d', 'https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/', 'https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100'], 'synonyms': ['DexLocker']}\n", "MBR Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker', 'https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html']}\n", "Mebromi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi', 'https://www.symantec.com/connect/blogs/bios-threat-showing-again', 'https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/', 'http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/', 'http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html'], 'synonyms': ['MyBios']}\n", "MECHANICAL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/'], 'synonyms': ['GoldStamp']}\n", "Medre {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.medre', 'http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html']}\n", "Medusa (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa', 'https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/', 'https://news.drweb.com/show/?i=10302&lng=en']}\n", "MedusaLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/', 'https://www.cybereason.com/blog/medusalocker-ransomware', 'https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/', 'https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html', 'http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-181a', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf', 'https://blog.talosintelligence.com/2020/04/medusalocker.html', 'https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html', 'https://twitter.com/siri_urz/status/1215194488714346496?s=20', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://www.mandiant.com/resources/chasing-avaddon-ransomware', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/', 'https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/'], 'synonyms': ['AKO Doxware', 'AKO Ransomware', 'MedusaReborn']}\n", "MegaCortex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex', 'https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries', 'https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure', 'https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/', 'https://blog.malwarebytes.com/detections/ransom-megacortex/', 'https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot', 'https://threatpost.com/megacortex-ransomware-mass-distribution/146933/', 'https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/', 'https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks']}\n", "MeguminTrojan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/']}\n", "Mekotio {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio', 'https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf', 'http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853', 'https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/', 'https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/', 'https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/', 'https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/', 'https://twitter.com/hpsecurity/status/1509185858146082816', 'https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/']}\n", "Melcoz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.melcoz', 'https://securelist.com/the-tetrade-brazilian-banking-malware/97779/']}\n", "Meow {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.meow', 'https://id-ransomware.blogspot.com/2022/09/meow-ransomware.html']}\n", "MercurialGrabber {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mercurialgrabber', 'https://github.com/NightfallGT/Mercurial-Grabber', 'https://twitter.com/Arkbird_SOLG/status/1432127748001128459']}\n", "Merlin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin', 'http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html', 'https://github.com/Ne0nd0g/merlin', 'http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html']}\n", "Mespinoza {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza', 'https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/', 'https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/', 'https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/', 'https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf', 'https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html', 'http://www.secureworks.com/research/threat-profiles/gold-burlap', 'https://www.ic3.gov/Media/News/2021/210316.pdf', 'https://twitter.com/campuscodi/status/1347223969984897026', 'https://twitter.com/inversecos/status/1456486725664993287', 'https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html', 'https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware', 'https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/', 'https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/'], 'synonyms': ['pysa']}\n", "MetadataBin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin', 'https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html'], 'synonyms': ['Ransomware32']}\n", "METALJACK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.metaljack', 'https://www.youtube.com/watch?v=ftjDH65kw6E', 'https://s.tencent.com/research/report/944.html', 'https://m.threatbook.cn/detail/2527', 'https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf', 'https://www.secrss.com/articles/17900', 'https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/', 'https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html'], 'synonyms': ['denesRAT']}\n", "Metamorfo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo', 'https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767', 'https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html', 'https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf', 'https://cofense.com/blog/autohotkey-banking-trojan/', 'https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html', 'https://blog.ensilo.com/metamorfo-avast-abuser', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md', 'https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf', 'https://twitter.com/MsftSecIntel/status/1418706916922986504'], 'synonyms': ['Casbaneiro']}\n", "MetaStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem', 'https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/']}\n", "Meteor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.meteor', 'https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/', 'https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://twitter.com/_cpresearch_/status/1541753913732366338', 'https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/']}\n", "Meterpreter (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter', 'https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine', 'https://explore.group-ib.com/htct/hi-tech_crime_2018', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services', 'https://redcanary.com/blog/getsystem-offsec/', 'https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea', 'https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence', 'https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf', 'https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass', 'https://unit42.paloaltonetworks.com/atoms/obscureserpens/', 'https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md', 'https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html', 'https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/', 'http://www.secureworks.com/research/threat-profiles/gold-winter', 'https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/', 'https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/', 'https://blog.morphisec.com/fin7-attacks-restaurant-industry', 'https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/', 'https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/', 'https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/', 'https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/', 'http://schierlm.users.sourceforge.net/avevasion.html', 'https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/', 'https://us-cert.cisa.gov/ncas/alerts/aa20-301a', 'https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis', 'https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-franklin', 'https://asec.ahnlab.com/ko/26705/', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a']}\n", "Mevade {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mevade', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf', 'https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/', 'https://www.youtube.com/watch?v=FttiysUZmDw'], 'synonyms': ['SBC', 'Sefnit']}\n", "Mewsei {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei']}\n", "MgBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot', 'https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf', 'https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware', 'https://twitter.com/GossiTheDog/status/1438500100238577670', 'https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/', 'https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s'], 'synonyms': ['BLame', 'MgmBot']}\n", "Miancha {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha']}\n", "Micrass {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass', 'https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/']}\n", "MicroBackdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor', 'https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/', 'https://github.com/cr4sh/microbackdoor', 'https://cert.gov.ua/article/37626', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/', 'https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/', 'https://www.mandiant.com/resources/spear-phish-ukrainian-entities', 'https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/']}\n", "Microcin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin', 'https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf', 'https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/', 'https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/', 'https://github.com/dlegezo/common', 'https://securelist.com/microcin-is-here/97353/', 'https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia', 'https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf', 'https://securelist.com/microcin-is-here/97353', 'https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636']}\n", "Micropsia {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia', 'https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html', 'https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf', 'http://blog.talosintelligence.com/2017/06/palestine-delphi.html', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md', 'https://research.checkpoint.com/apt-attack-middle-east-big-bang/', 'http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/']}\n", "Midas {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.midas', 'https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants', 'https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/', 'https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/']}\n", "Mikoponi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi', 'https://www.anomali.com/blog/targeted-ransomware-activity']}\n", "Milan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.milan', 'https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/', 'https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf']}\n", "MILKMAID {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf']}\n", "Milum {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.milum', 'https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf', 'https://securelist.com/wildpressure-targets-macos/103072/', 'https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/']}\n", "MimiKatz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz', 'https://www.accenture.com/us-en/blogs/security/ransomware-hades', 'https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia', 'https://www.welivesecurity.com/2022/09/06/worok-big-picture/', 'https://www.secureworks.com/research/samsam-ransomware-campaigns', 'https://www.secureworks.com/research/threat-profiles/tin-woodlawn', 'https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/', 'http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle', 'http://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://www.hvs-consulting.de/lazarus-report/', 'https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/', 'https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-152a', 'https://unit42.paloaltonetworks.com/atoms/obscureserpens/', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics', 'https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/', 'https://attack.mitre.org/groups/G0011', 'https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/', 'http://www.secureworks.com/research/threat-profiles/gold-drake', 'https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection', 'https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html', 'https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/', 'https://noticeofpleadings.com/nickel/#', 'https://us-cert.cisa.gov/ncas/alerts/aa20-275a', 'https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks', 'https://www.secureworks.com/research/threat-profiles/gold-drake', 'https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/', 'https://attack.mitre.org/groups/G0096', 'http://www.secureworks.com/research/threat-profiles/gold-franklin', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/', 'https://www.infinitumit.com.tr/apt-35/', 'https://blog.xpnsec.com/exploring-mimikatz-part-1/', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf', 'https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153', 'https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/', 'https://www.ic3.gov/Media/News/2021/210527.pdf', 'https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/', 'https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass', 'https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/', 'https://www.ic3.gov/media/news/2020/200917-1.pdf', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/', 'https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta', 'https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom', 'https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html', 'https://twitter.com/swisscom_csirt/status/1354052879158571008', 'https://github.com/gentilkiwi/mimikatz', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis', 'https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos', 'https://securelist.com/the-sessionmanager-iis-backdoor/106868/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east', 'https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf', 'https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx', 'https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html', 'https://attack.mitre.org/groups/G0034', 'https://www.secureworks.com/research/threat-profiles/gold-kingswood', 'https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html', 'https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks', 'https://www.secureworks.com/research/threat-profiles/cobalt-hickman', 'https://awakesecurity.com/blog/catching-the-white-stork-in-flight/', 'https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/', 'https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/', 'https://www.slideshare.net/yurikamuraki5/active-directory-240348605', 'https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf', 'https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html', 'https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments', 'https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730', 'https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html', 'https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/', 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-vinewood', 'https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf', 'https://www.secureworks.com/blog/ransomware-deployed-by-adversary', 'https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf', 'https://www.varonis.com/blog/hive-ransomware-analysis', 'https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021', 'https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/', 'https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east', 'https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/', 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers', 'https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/', 'https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran', 'https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf', 'https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html', 'https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/', 'https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/', 'https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html', 'https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks', 'https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf', 'https://www.ic3.gov/Media/News/2021/210823.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-burlap', 'https://twitter.com/inversecos/status/1456486725664993287', 'https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two', 'https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf', 'https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions']}\n", "Mindware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware', 'https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/']}\n", "MINEBRIDGE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge', 'https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism', 'https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures', 'https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html', 'https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat', 'https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/', 'https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/'], 'synonyms': ['GazGolder']}\n", "MiniASP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "MiniDuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.miniduke', 'https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/', 'https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf', 'https://www.secureworks.com/research/threat-profiles/iron-hemlock', 'https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/']}\n", "MiniStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ministealer', 'https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/']}\n", "Mirage {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage', 'https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf', 'https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-palace']}\n", "MirageFox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox', 'https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/']}\n", "Mirai (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai', 'https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/', 'https://unit42.paloaltonetworks.com/moobot-d-link-devices/', 'https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack', 'https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot/', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html', 'https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/', 'https://twitter.com/PhysicalDrive0/status/830070569202749440']}\n", "MirrorBlast {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast', 'https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies', 'https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant', 'https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924', 'https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/', 'https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/']}\n", "Misdat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat', 'https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf']}\n", "Misfox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox'], 'synonyms': ['MixFox', 'ModPack']}\n", "Misha {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.misha', 'https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/']}\n", "Mispadu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu', 'https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/', 'https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces', 'https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YyXEkaRBzIU'], 'synonyms': ['URSA']}\n", "MISTYVEAL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mistyveal', 'https://www.epicturla.com/previous-works/hitb2020-voltron-sta', 'https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/']}\n", "Miuref {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref']}\n", "MMON {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mmon', 'http://reversing.fun/posts/2022/01/02/mmon.html'], 'synonyms': ['Kaptoxa']}\n", "MM Core {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core']}\n", "MobiRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat', 'https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/']}\n", "Mocton {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton']}\n", "ModernLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.modern_loader', 'https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html'], 'synonyms': ['AvatarBot']}\n", "MoDi RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.modirat', 'https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands/']}\n", "ModPipe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe', 'https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/', 'https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data', 'https://www.kroll.com/en/insights/publications/cyber/modpipe-pos-malware-new-hooking-targets-extract-card-data']}\n", "ModPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos', 'https://www.fireeye.com/blog/threat-research/2015/11/modpos.html', 'https://twitter.com/physicaldrive0/status/670258429202530306'], 'synonyms': ['straxbot']}\n", "Mofksys {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys', 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/']}\n", "Moisha Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moisha', 'https://id-ransomware.blogspot.com/2022/08/moisha-ransomware.html']}\n", "Moker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moker', 'https://breakingmalware.com/malware/moker-part-2-capabilities/', 'https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/', 'https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/', 'http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network']}\n", "Mokes (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes', 'https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/', 'https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/']}\n", "Mole {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mole', 'https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/', 'https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware']}\n", "MoleNet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.molenet', 'https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign']}\n", "Molerat Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader', 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf', 'http://www.clearskysec.com/iec/', 'https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/', 'https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/', 'https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east']}\n", "Monero Miner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner', 'https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/', 'https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor', 'https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/'], 'synonyms': ['CoinMiner']}\n", "mongall {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mongall', 'https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/']}\n", "MontysThree {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree', 'https://securelist.com/montysthree-industrial-espionage/98972/'], 'synonyms': ['MT3']}\n", "MoonBounce {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf', 'https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/', 'https://www.binarly.io/posts/A_deeper_UEFI_dive_into_MoonBounce/index.html', 'https://habr.com/ru/amp/post/668154/']}\n", "MoonWind {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind', 'http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/']}\n", "MoriAgent {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent', 'https://twitter.com/Timele9527/status/1272776776335233024', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-055a', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611', 'https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf', 'https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/']}\n", "Moriya {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya', 'https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/']}\n", "Morphine {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine']}\n", "Morto {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.morto', 'https://www.f-secure.com/weblog/archives/00002227.html', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A', 'http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html']}\n", "MosaicRegressor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mosaic_regressor', 'https://securelist.com/mosaicregressor/98849/']}\n", "Moserpass {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moserpass', 'https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/']}\n", "Mosquito {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito', 'https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/', 'https://www.recordedfuture.com/turla-apt-infrastructure/', 'https://securelist.com/shedding-skin-turlas-fresh-faces/88069/', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf', 'https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/']}\n", "Mount Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker', 'https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html', 'https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/', 'https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html', 'https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/', 'https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/', 'https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/', 'https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/', 'https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/', 'https://securityscorecard.pathfactory.com/research/quantum-ransomware', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/', 'https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/', 'https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/', 'https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/', 'https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry', 'https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker', 'https://blogs.blackberry.com/en/2021/11/zebra2104', 'https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates'], 'synonyms': ['QuantumLocker']}\n", "Moure {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.moure']}\n", "mozart {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-11-the-mozart-ram-scraper.md', 'https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html']}\n", "MPKBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot', 'https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf', 'https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/'], 'synonyms': ['MPK']}\n", "MRAC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mrac', 'https://id-ransomware.blogspot.com/2021/12/mrac-ransomware.html']}\n", "MrDec {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec', 'https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html']}\n", "MrPeter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mr_peter', 'https://github.com/mrfr05t/Mr.Peter']}\n", "MulCom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mulcom', 'https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies']}\n", "Multigrain POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos', 'https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html', 'https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/']}\n", "murkytop {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop', 'https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk']}\n", "Murofet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.wired.com/2017/03/russian-hacker-spy-botnet/', 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group']}\n", "Mutabaha {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha', 'http://vms.drweb.ru/virus/?_is=1&i=8477920']}\n", "MyDogs {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs', 'https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html', 'https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/', 'https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html', 'https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html']}\n", "MyDoom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069', 'https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503', 'http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf', 'https://www.malware-traffic-analysis.net/2018/12/19/index.html'], 'synonyms': ['Mimail', 'Novarg']}\n", "MyKings Spreader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader', 'https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf', 'https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/', 'https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators', 'http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf', 'https://blog.talosintelligence.com/2020/07/valak-emerges.html', 'http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/']}\n", "MyloBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot', 'http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html', 'https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/', 'https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html', 'https://github.com/360netlab/DGA/issues/36', 'https://blog.centurylink.com/mylobot-continues-global-infections/', 'http://www.freebuf.com/column/153424.html'], 'synonyms': ['FakeDGA', 'WillExec']}\n", "MysterySnail {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mystery_snail', 'https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/']}\n", "MZRevenge {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.mzrevenge', 'https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html'], 'synonyms': ['MaMo434376']}\n", "N40 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.n40', 'https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/', 'https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector', 'http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html', 'http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware']}\n", "Nabucur {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur']}\n", "NACHOCHEESE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b', 'https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html', 'https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf', 'https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/'], 'synonyms': ['Cyruslish', 'TWOPENCE', 'VIVACIOUSGIFT']}\n", "Nagini {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini', 'http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/']}\n", "Naikon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://securelist.com/analysis/publications/69953/the-naikon-apt/'], 'synonyms': ['Sacto']}\n", "Nanocore RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore', 'https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0', 'https://community.riskiq.com/article/ade260c6', 'https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire', 'https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://www.secureworks.com/research/threat-profiles/cobalt-trinity', 'https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA', 'https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://goggleheadedhacker.com/blog/post/11', 'https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332', 'https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/', 'https://www.ic3.gov/media/news/2020/200917-1.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/', 'https://malwareindepth.com/defeating-nanocore-and-cypherit/', 'https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat', 'https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html', 'https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore', 'https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/', 'https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/', 'https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html', 'https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html', 'https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52', 'https://intel471.com/blog/privateloader-malware', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://community.riskiq.com/article/24759ad2', 'https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/', 'https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://blog.morphisec.com/syk-crypter-discord', 'https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage', 'https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage'], 'synonyms': ['Nancrat', 'NanoCore']}\n", "NanoLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker']}\n", "Narilam {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam', 'https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage', 'http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html']}\n", "Nautilus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus', 'https://www.ncsc.gov.uk/alerts/turla-group-malware', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims']}\n", "NavRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://blog.talosintelligence.com/2018/05/navrat.html?m=1', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf', 'https://www.youtube.com/watch?v=rfzmHjZX70s', 'https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/'], 'synonyms': ['JinhoSpy']}\n", "nccTrojan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan', 'https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/', 'https://vblocalhost.com/uploads/VB2020-20.pdf', 'https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9', 'https://twitter.com/ESETresearch/status/1441139057682104325?s=20', 'https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf', 'https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan', 'https://www.youtube.com/watch?v=1WfPlgtfWnQ']}\n", "Nebulae {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nebulae', 'https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware', 'https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf', 'https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/', 'https://twitter.com/SyscallE/status/1390339497804636166', 'https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos']}\n", "Necurs {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/', 'https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/', 'https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much', 'https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-riverview', 'https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/', 'https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/', 'https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/', 'https://www.secureworks.com/research/threat-profiles/gold-riverview', 'https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'http://blog.talosintelligence.com/2017/03/necurs-diversifies.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors', 'https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features', 'https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/'], 'synonyms': ['nucurs']}\n", "NedDnLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf']}\n", "Nefilim {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim', 'https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html', 'https://securelist.com/evolution-of-jsworm-ransomware/102428/', 'https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware', 'https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html', 'https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html', 'https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot', 'https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data', 'https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html', 'http://www.secureworks.com/research/threat-profiles/gold-mansard', 'https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/'], 'synonyms': ['Nephilim']}\n", "Nemim {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim', 'https://www.secureworks.com/research/threat-profiles/tungsten-bridge', 'http://blog.nsfocus.net/darkhotel-3-0908/'], 'synonyms': ['Nemain']}\n", "Nemty {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://securelist.com/evolution-of-jsworm-ransomware/102428/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet', 'https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/', 'https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html', 'https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/', 'https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/', 'https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/', 'https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/', 'https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/', 'https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/', 'http://www.secureworks.com/research/threat-profiles/gold-mansard', 'https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw', 'https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/', 'https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/', 'https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf']}\n", "Nerbian RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nerbian_rat', 'https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques']}\n", "neshta {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta', 'https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html', 'https://www.mandiant.com/resources/pe-file-infecting-malware-ot', 'https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest', 'https://www.virusradar.com/en/Win32_Neshta.A/description']}\n", "NESTEGG {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg', 'https://youtu.be/8hJyLkLHH8Q?t=1208', 'https://youtu.be/_kzFNQySEMw?t=789', 'https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html', 'https://content.fireeye.com/apt/rpt-apt38', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf']}\n", "NetC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netc', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "NetDooka {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netdooka', 'https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html']}\n", "NETEAGLE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/', 'https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf'], 'synonyms': ['Neteagle_Scout', 'ScoutEagle']}\n", "NetfilterRootkit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netfilter', 'https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html', 'https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit', 'https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf', 'https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/', 'https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/', 'https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/', 'https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users']}\n", "NetFlash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netflash', 'https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/']}\n", "NetKey {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey', 'https://twitter.com/kevinperlow/status/1156406115472760835']}\n", "Netrepser {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger', 'https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/']}\n", "NetSupportManager RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat', 'https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee', 'https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/', 'https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer', 'http://www.netsupportmanager.com/index.asp', 'https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/', 'https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/', 'https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/', 'https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html'], 'synonyms': ['NetSupport']}\n", "NetTraveler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler', 'https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests', 'https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf'], 'synonyms': ['TravNet']}\n", "NetWire RC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire', 'https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/', 'https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers', 'https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader', 'https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/', 'http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf', 'https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire', 'https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/', 'https://news.sophos.com/en-us/2020/05/14/raticate/', 'https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://www.circl.lu/pub/tr-23/', 'https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf', 'https://www.secureworks.com/research/threat-profiles/cobalt-trinity', 'https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.', 'https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA', 'http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html', 'https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/', 'https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg', 'https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view', 'https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign', 'https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html', 'https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://community.riskiq.com/article/24759ad2', 'https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://www.youtube.com/watch?v=TeQdZxP0RYY', 'https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers', 'https://news.drweb.ru/show/?i=13281&c=23', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/', 'https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html', 'https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data', 'https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/', 'https://threatpost.com/ta2541-apt-rats-aviation/178422/'], 'synonyms': ['NetWeird', 'NetWire', 'Recam']}\n", "Neuron {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron', 'https://www.ncsc.gov.uk/alerts/turla-group-malware', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims']}\n", "Neutrino {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino', 'https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/', 'https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html', 'http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html', 'https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/', 'http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html', 'http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/', 'https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/', 'https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/', 'https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet', 'https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/', 'https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22', 'http://blog.ptsecurity.com/2019/08/finding-neutrino.html', 'https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex'], 'synonyms': ['Kasidet']}\n", "Neutrino POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos', 'https://securelist.com/neutrino-modification-for-pos-terminals/78839/']}\n", "NewBounce {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce', 'https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf']}\n", "NewCore RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat', 'https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/', 'https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations', 'https://securelist.com/cycldek-bridging-the-air-gap/97157/', 'https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view', 'https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6']}\n", "NewPass {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass', 'https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/']}\n", "NewPosThings {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings', 'https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/']}\n", "NewsReels {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "NewCT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct', 'https://www.secureworks.com/research/threat-profiles/bronze-express', 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf', 'http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf', 'https://unit42.paloaltonetworks.com/atoms/shallowtaurus/'], 'synonyms': ['CT']}\n", "Nexster Bot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot', 'https://twitter.com/benkow_/status/789006720668405760']}\n", "NexusLogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger', 'https://twitter.com/PhysicalDrive0/status/842853292124360706', 'http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/']}\n", "Ngioweb (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb', 'https://research.checkpoint.com/ramnits-network-proxy-servers/', 'https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html'], 'synonyms': ['Grobios']}\n", "NGLite {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nglite', 'https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/', 'https://us-cert.cisa.gov/ncas/alerts/aa21-336a']}\n", "Nibiru {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nibiru', 'https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html']}\n", "NightSky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/', 'https://twitter.com/cglyer/status/1480742363991580674', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation', 'https://www.youtube.com/watch?v=Yzt_zOO8pDM', 'https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/', 'https://twitter.com/cglyer/status/1480734487000453121'], 'synonyms': ['Night Sky']}\n", "NimbleMamba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba', 'https://thehackernews.com/2022/02/palestinian-hackers-using-new.html', 'https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage']}\n", "NimGrabber {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber', 'https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671']}\n", "Nimrev {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nimrev', 'https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671']}\n", "nitlove {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove', 'https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html']}\n", "Nitol {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol', 'https://en.wikipedia.org/wiki/Nitol_botnet', 'https://krebsonsecurity.com/tag/nitol/', 'https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/']}\n", "win.nitro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nitro', 'https://twitter.com/malwrhunterteam/status/1430616882231578624', 'https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/', 'https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf', 'https://github.com/nightfallgt/nitro-ransomware'], 'synonyms': ['Hydra']}\n", "Nitrokod {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nitrokod', 'https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications']}\n", "NixScare Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nixscare', 'https://twitter.com/3xp0rtblog/status/1302584919592501248']}\n", "NjRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control', 'https://www.4hou.com/posts/VoPM', 'https://asec.ahnlab.com/1369', 'https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt', 'https://ti.360.net/blog/articles/analysis-of-apt-c-27/', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/', 'https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf', 'https://blog.talosintelligence.com/2021/07/sidecopy.html', 'https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'https://www.secureworks.com/research/threat-profiles/copper-fieldstone', 'https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware', 'https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html', 'https://news.sophos.com/en-us/2020/05/14/raticate/', 'https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/', 'https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/', 'https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA', 'https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://forensicitguy.github.io/njrat-installed-from-msi/', 'https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388', 'https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains', 'https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/', 'https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/', 'https://labs.k7computing.com/?p=21904', 'https://blog.reversinglabs.com/blog/rats-in-the-library', 'https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT', 'https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g', 'https://twitter.com/ESETresearch/status/1449132020613922828', 'https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/', 'https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt', 'https://intel471.com/blog/privateloader-malware', 'https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf', 'https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html', 'https://blogs.360.cn/post/APT-C-44.html', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel', 'https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479', 'https://blog.morphisec.com/syk-crypter-discord', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://attack.mitre.org/groups/G0096', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html', 'https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/', 'http://blogs.360.cn/post/analysis-of-apt-c-37.html', 'https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html', 'https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/', 'https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf'], 'synonyms': ['Bladabindi']}\n", "nmass malware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nmass', 'https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2']}\n", "Nocturnal Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer', 'https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap']}\n", "Nokki {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki', 'https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf']}\n", "Nokoyawa Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa', 'https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/']}\n", "NorthStar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.northstar', 'https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping']}\n", "NoxPlayer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer', 'https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf']}\n", "Nozelesn (Decryptor) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor']}\n", "nRansom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom', 'https://twitter.com/malwrhunterteam/status/910952333084971008', 'https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/', 'https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin']}\n", "NuggetPhantom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nugget_phantom', 'https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/', 'https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf']}\n", "Numando {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.numando', 'https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/', 'https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/']}\n", "NVISOSPIT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit', 'http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf', 'https://twitter.com/Bank_Security/status/1134850646413385728', 'https://twitter.com/r3c0nst/status/1135606944427905025']}\n", "N-W0rm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nworm', 'https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/', 'https://bazaar.abuse.ch/browse/tag/N-W0rm/', 'https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/'], 'synonyms': ['NWorm', 'nw0rm']}\n", "Nymaim {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim', 'https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf', 'https://www.cert.pl/en/news/single/nymaim-revisited/', 'https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled', 'https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/', 'https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/', 'https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/', 'https://bitbucket.org/daniel_plohmann/idapatchwork', 'https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded', 'https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf', 'https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0', 'https://www.lawfareblog.com/what-point-these-nation-state-indictments', 'https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/', 'https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/'], 'synonyms': ['nymain']}\n", "Nymaim2 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/']}\n", "Oblique RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf', 'https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html', 'https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://securelist.com/transparent-tribe-part-2/98233/', 'https://www.secrss.com/articles/24995', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf', 'https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html', 'https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html', 'https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/']}\n", "Obscene {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene', 'https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html', 'https://habr.com/ru/post/27053/']}\n", "Oceansalt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf']}\n", "Octopus (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus', 'https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw', 'https://securelist.com/octopus-infested-seas-of-central-asia/88200/', 'https://isc.sans.edu/diary/26918']}\n", "OddJob {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob']}\n", "Oderoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oderoor', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//'], 'synonyms': ['Bobax', 'Kraken']}\n", "Odinaff {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff', 'https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks', 'https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks']}\n", "Okrum {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/', 'https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/', 'https://securelist.com/apt-trends-report-q3-2020/99204/']}\n", "OLDBAIT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf', 'https://www.secjuice.com/fancy-bear-review/', 'https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf'], 'synonyms': ['Sasfis']}\n", "Olympic Destroyer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer', 'https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/', 'https://www.lastline.com/labsblog/attribution-from-russia-with-code/', 'https://www.youtube.com/watch?v=wCv9SiSA7Sw', 'https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights', 'https://attack.mitre.org/groups/G0034', 'http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html', 'https://www.lastline.com/labsblog/olympic-destroyer-south-korea/', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://www.youtube.com/watch?v=a4BZ3SZN-CI', 'https://securelist.com/the-devils-in-the-rich-header/84348/', 'https://securelist.com/olympic-destroyer-is-still-alive/86169/', 'https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/', 'https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/', 'http://blog.talosintelligence.com/2018/02/olympic-destroyer.html', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.youtube.com/watch?v=rjA0Vf75cYk', 'https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/', 'https://www.mbsd.jp/blog/20180215.html', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://www.youtube.com/watch?v=1jgdMY12mI8', 'https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/'], 'synonyms': ['SOURGRAPE']}\n", "ONHAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat', 'https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators', 'https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview']}\n", "Oni {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oni', 'https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/']}\n", "OnionDuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke', 'https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/', 'https://www.secureworks.com/research/threat-profiles/iron-hemlock', 'http://contagiodump.blogspot.com/2014/11/onionduke-samples.html', 'https://blog.f-secure.com/podcast-dukes-apt29/', 'https://www.f-secure.com/weblog/archives/00002764.html']}\n", "OnlinerSpambot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner', 'https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/', 'https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html', 'https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html'], 'synonyms': ['Onliner', 'SBot']}\n", "OopsIE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie', 'https://unit42.paloaltonetworks.com/atoms/evasive-serpens/', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae', 'https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/', 'https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr']}\n", "Opachki {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki', 'http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html', 'https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519', 'http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html', 'https://forum.malekal.com/viewtopic.php?t=21806']}\n", "OpenSUpdater {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.opensupdater', 'https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/']}\n", "OpGhoul {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul', 'https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/']}\n", "OpBlockBuster {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster', 'http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/']}\n", "ORANGEADE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf']}\n", "OrcaRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat', 'http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html', 'https://www.secureworks.com/research/threat-profiles/bronze-fleetwood']}\n", "Orchard {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard', 'https://blog.netlab.360.com/orchard-dga/', 'https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/', 'https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/']}\n", "Orcus RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks', 'http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/', 'https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html', 'https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/', 'https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html', 'https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors', 'https://assets.virustotal.com/reports/2021trends.pdf', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/'], 'synonyms': ['Schnorchel']}\n", "Ordinypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt', 'https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/', 'https://www.gdata.de/blog/2017/11/30151-ordinypt', 'https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat'], 'synonyms': ['GermanWiper', 'HSDFSDCrypt']}\n", "OriginLogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.originlogger', 'https://unit42.paloaltonetworks.com/originlogger/']}\n", "Oski Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.oski', 'https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/', 'https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer', 'https://3xp0rt.com/posts/mars-stealer', 'https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601', 'https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become', 'https://cyberint.com/blog/research/mars-stealer/', 'https://twitter.com/albertzsigovits/status/1160874557454131200', 'https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view', 'https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/']}\n", "Osno {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.osno', 'https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit', 'https://labs.k7computing.com/?p=21562'], 'synonyms': ['Babax']}\n", "Ousaban {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ousaban', 'https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services', 'https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/', 'https://www.atomicmatryoshka.com/post/ousaban-msi-installer-analysis']}\n", "OutCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.outcrypt', 'https://id-ransomware.blogspot.com/2020/07/outcrypt-ransomware.html']}\n", "Outlook Backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf', 'https://twitter.com/VK_Intel/status/1085820673811992576'], 'synonyms': ['FACADE']}\n", "OutSteel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.outsteel', 'https://www.telsy.com/download/6372/?uid=d3eb8e1489']}\n", "Overlay RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat', 'https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking', 'https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/']}\n", "OvidiyStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer', 'https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses']}\n", "owaauth {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/'], 'synonyms': ['luckyowa']}\n", "Owlproxy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy', 'https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20', 'https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf', 'https://securelist.com/the-sessionmanager-iis-backdoor/106868/', 'https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/']}\n", "Owowa {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.owowa', 'https://securelist.com/owowa-credential-stealer-and-remote-access/105219/']}\n", "OZH RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat', 'https://twitter.com/BushidoToken/status/1266075992679948289']}\n", "Ozone RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ozone', 'https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html', 'https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel']}\n", "PadCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt', 'https://johannesbader.ch/2016/03/the-dga-of-padcrypt/', 'https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/']}\n", "paladin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin', 'https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html', 'https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf']}\n", "PandaBanker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker', 'https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847', 'https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers', 'https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/', 'http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html', 'https://www.spamhaus.org/news/article/771/', 'https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/', 'https://www.youtube.com/watch?v=J7VOfAJvxEY', 'https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media', 'https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf', 'http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html', 'https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much', 'https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html'], 'synonyms': ['ZeusPanda']}\n", "Panda Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html']}\n", "Pandora {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora', 'https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/', 'https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/', 'https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/', 'https://dissectingmalwa.re/blog/pandora/']}\n", "Pandora RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora_rat', 'https://github.com/AZMagic/Pandora-Hvnc-Hidden-Browser-Real-Vnc-Working-Chromium-Edge-Opera-Gx', 'https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya', 'https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware'], 'synonyms': ['Pandora hVNC RAT']}\n", "Paradies Clipper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.paradies_clipper', 'https://www.youtube.com/watch?v=wjoH9jW2EPQ']}\n", "Paradise {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise', 'https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/', 'https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/', 'https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again', 'https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool', 'https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/']}\n", "Parallax RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax', 'https://blog.morphisec.com/parallax-rat-active-status', 'https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html', 'https://twitter.com/malwrhunterteam/status/1227196799997431809', 'https://threatpost.com/ta2541-apt-rats-aviation/178422/', 'https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html', 'https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/', 'https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/'], 'synonyms': ['ParallaxRAT']}\n", "parasite_http {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http', 'https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks']}\n", "PartyTicket {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.partyticket', 'https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket', 'https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/', 'https://securelist.com/new-ransomware-trends-in-2022/106457/', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/', 'https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine', 'https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/', 'https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/', 'https://www.mandiant.com/resources/information-operations-surrounding-ukraine', 'https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf', 'https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/', 'https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/', 'https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war', 'https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/', 'https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine', 'https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware', 'https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/', 'https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html', 'https://www.brighttalk.com/webcast/15591/534324'], 'synonyms': ['Elections GoRansom', 'HermeticRansom', 'SonicVote']}\n", "Passlock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.passlock', 'https://id-ransomware.blogspot.com']}\n", "Pay2Key {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://twitter.com/TrendMicroRSRCH/status/1389422784808378370', 'https://research.checkpoint.com/2020/ransomware-alert-pay2key/', 'https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf'], 'synonyms': ['Cobalt']}\n", "PayloadBIN {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin', 'https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/']}\n", "PcShare {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare', 'https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf']}\n", "PEBBLEDASH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash', 'https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf', 'https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf', 'https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1', 'https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-133c', 'https://asec.ahnlab.com/en/30022/', 'https://blog.reversinglabs.com/blog/hidden-cobra', 'https://asec.ahnlab.com/en/30532/']}\n", "PeddleCheap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap', 'https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/', 'https://twitter.com/ESETresearch/status/1258353960781598721', 'https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#', 'https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/']}\n", "Pekraut {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pekraut', 'https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing']}\n", "Penco {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.penco']}\n", "PennyWise Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pennywise', 'https://blog.cyble.com/2022/06/30/infostealer/']}\n", "Peppy RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.peppy_rat', 'https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf']}\n", "PetrWrap {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap', 'https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/', 'https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/']}\n", "Petya {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.petya', 'https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/', 'https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/', 'https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/', 'https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/', 'https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/', 'https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html']}\n", "pgift {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift'], 'synonyms': ['ReRol']}\n", "PhanDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor', 'https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf']}\n", "Philadephia Ransom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom', 'https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/', 'https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/']}\n", "Phobos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos', 'https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/', 'https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/', 'https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware', 'https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware', 'https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/', 'https://blogs.blackberry.com/en/2021/11/zebra2104', 'https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/', 'https://securelist.com/cis-ransomware/104452/']}\n", "Phoenix Keylogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger', 'https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass', 'https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/']}\n", "Phoenix Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker', 'https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp']}\n", "PHOREAL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal', 'https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf', 'https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/', 'https://www.secureworks.com/research/threat-profiles/tin-woodlawn'], 'synonyms': ['Rizzo']}\n", "Phorpiex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://research.checkpoint.com/2019/phorpiex-breakdown/', 'https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/', 'https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/', 'https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/', 'https://www.johannesbader.ch/2016/02/phorpiex/', 'https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet', 'https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/', 'https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://twitter.com/_CPResearch_/status/1447852018794643457', 'https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/', 'https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/'], 'synonyms': ['Trik']}\n", "PhotoLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader', 'https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/', 'https://twitter.com/felixw3000/status/1521816045769662468', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.silentpush.com/blog/icedid-command-and-control-infrastructure', 'https://isc.sans.edu/diary/28636', 'https://www.silentpush.com/blog/malicious-infrastructure-as-a-service', 'https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/', 'https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html', 'https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes']}\n", "PICKPOCKET {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket', 'https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae']}\n", "Pierogi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pierogi', 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf', 'https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor']}\n", "PILLOWMINT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/']}\n", "PingBack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pingback', 'https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/']}\n", "pipcreat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat', 'https://www.snort.org/rule_docs/1-26941']}\n", "PipeMon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon', 'https://twitter.com/ESETresearch/status/1506904404225630210', 'https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/']}\n", "pirpi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi', 'https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html', 'https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-mayfair', 'https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/'], 'synonyms': ['CookieCutter', 'SHOTPUT']}\n", "Pitou {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou', 'https://www.tgsoft.it/english/news_archivio_eng.asp?id=884', 'https://isc.sans.edu/diary/rss/25068', 'http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.565.9211&rep=rep1&type=pdf', 'https://johannesbader.ch/2019/07/the-dga-of-pitou/', 'https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf']}\n", "PittyTiger RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat', 'https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/', 'https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf']}\n", "Pkybot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot', 'http://blog.kleissner.org/?p=788', 'http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot'], 'synonyms': ['Bublik', 'Pykbot', 'TBag']}\n", "PLAINTEE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/', 'https://www.secureworks.com/research/threat-profiles/bronze-overbrook', 'https://unit42.paloaltonetworks.com/atoms/rancortaurus/']}\n", "PLAY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.play', 'https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/', 'https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html', 'https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/'], 'synonyms': ['PlayCrypt']}\n", "playwork {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork', 'https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html']}\n", "PLEAD (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.plead', 'https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html', 'https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf', 'https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/', 'https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf', 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf', 'https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt', 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'http://www.freebuf.com/column/159865.html', 'https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html', 'https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/', 'https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html', 'https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html', 'https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html', 'https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020', 'https://securelist.com/apt-trends-report-q2-2019/91897/'], 'synonyms': ['DRAWDOWN', 'GOODTIMES', 'Linopid']}\n", "Ploutus ATM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm', 'https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html', 'https://www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html', 'https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam', 'http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html', 'https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america', 'https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf']}\n", "ployx {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx', 'https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx', 'https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html']}\n", "PlugX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx', 'https://blog.xorhex.com/blog/mustangpandaplugx-1/', 'https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html', 'https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/', 'https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/', 'http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html', 'https://securelist.com/time-of-death-connected-medicine/84315/', 'https://www.secureworks.com/research/threat-profiles/bronze-riverside', 'https://www.youtube.com/watch?v=r1zAVX_HnJg', 'https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/', 'https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://www.youtube.com/watch?v=6SDdUVejR2w', 'https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/', 'https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn', 'https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf', 'https://unit42.paloaltonetworks.com/thor-plugx-variant/', 'https://therecord.media/redecho-group-parks-domains-after-public-exposure/', 'https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/', 'http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/', 'https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/', 'https://attack.mitre.org/groups/G0096', 'https://twitter.com/xorhex/status/1399906601562165249?s=20', 'https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html', 'https://twitter.com/stvemillertime/status/1261263000960450562', 'https://www.contextis.com/en/blog/dll-search-order-hijacking', 'https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html', 'https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf', 'https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/', 'https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia', 'https://www.secureworks.com/research/threat-profiles/bronze-olive', 'https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/', 'https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf', 'https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/', 'https://www.secureworks.com/research/threat-profiles/bronze-woodland', 'https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers', 'https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/', 'https://www.secureworks.com/research/threat-profiles/bronze-firestone', 'https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf', 'https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf', 'https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/', 'https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf', 'https://unit42.paloaltonetworks.com/atoms/shallowtaurus/', 'https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html', 'https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/', 'https://www.secureworks.com/research/threat-profiles/bronze-express', 'https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf', 'https://www.youtube.com/watch?v=E2_DTQJjDYc', 'https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/', 'https://tracker.h3x.eu/info/290', 'https://www.lac.co.jp/lacwatch/people/20171218_001445.html', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt', 'https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/', 'https://www.secureworks.com/research/threat-profiles/bronze-overbrook', 'https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/', 'https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/', 'https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-president', 'https://community.rsa.com/thread/185439', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.contextis.com/en/blog/avivore', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html', 'https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://www.contextis.com/de/blog/avivore', 'https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/', 'https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/', 'https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/', 'https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments', 'https://www.youtube.com/watch?v=qEwBGGgWgOM', 'https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/', 'https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html', 'https://blog.xorhex.com/blog/reddeltaplugxchangeup/', 'https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/', 'https://www.secureworks.com/research/bronze-president-targets-ngos', 'https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf', 'https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited', 'https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report', 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage', 'https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf', 'https://www.recordedfuture.com/china-linked-ta428-threat-group', 'https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/', 'https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html', 'https://blog.xorhex.com/blog/mustangpandaplugx-2/', 'http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html', 'https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/', 'https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf', 'https://risky.biz/whatiswinnti/', 'https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/', 'https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx', 'https://www.macnica.net/file/security_report_20160613.pdf', 'https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf', 'https://securelist.com/cycldek-bridging-the-air-gap/97157/', 'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf', 'https://www.recordedfuture.com/redecho-targeting-indian-power-sector/', 'https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader', 'https://www.secureworks.com/blog/bronze-president-targets-government-officials', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader', 'https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf', 'https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/', 'https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html', 'https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military', 'https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html', 'https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/', 'https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf', 'https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf', 'https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/', 'http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html', 'http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf', 'https://www.us-cert.gov/ncas/alerts/TA17-117A', 'https://www.youtube.com/watch?v=C_TmANnbS2k', 'https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf', 'https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/', 'https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia', 'https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt', 'https://blog.ensilo.com/uncovering-new-activity-by-apt10', 'https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://attack.mitre.org/groups/G0001/', 'https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european', 'https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/', 'https://www.youtube.com/watch?v=IRh6R8o1Q7U', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/', 'https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/', 'https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/', 'https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf'], 'synonyms': ['Destroy RAT', 'Kaba', 'Korplug', 'RedDelta', 'Sogu', 'TIGERPLUG']}\n", "Plurox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox', 'https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html', 'https://securelist.com/plurox-modular-backdoor/91213/']}\n", "pngdowner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner', 'https://attack.mitre.org/groups/G0024', 'https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31']}\n", "PNGLoad {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.png_load', 'https://www.welivesecurity.com/2022/09/06/worok-big-picture/']}\n", "PocoDown {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown', 'https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html', 'https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html', 'https://twitter.com/cyb3rops/status/1129653190444703744'], 'synonyms': ['Blitz', 'PocoDownloader']}\n", "poisonplug {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html', 'https://content.fireeye.com/apt-41/rpt-apt41/'], 'synonyms': ['Barlaiy']}\n", "Poison Ivy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy', 'https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/', 'http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant', 'https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/', 'https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://www.secureworks.com/research/threat-profiles/bronze-firestone', 'https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/', 'https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-riverside', 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers', 'https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf', 'https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/', 'https://unit42.paloaltonetworks.com/atoms/shallowtaurus/', 'https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html', 'https://www.youtube.com/watch?v=1WfPlgtfWnQ', 'https://attack.mitre.org/groups/G0011', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf', 'https://www.secureworks.com/research/threat-profiles/aluminum-saratoga', 'https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html', 'https://vblocalhost.com/uploads/VB2020-20.pdf', 'http://blogs.360.cn/post/APT_C_01_en.html', 'http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf', 'https://community.riskiq.com/article/56fa1b2f', 'https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf', 'https://us-cert.cisa.gov/ncas/alerts/aa20-275a', 'https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/', 'https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii', 'https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf', 'https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/', 'https://unit42.paloaltonetworks.com/atoms/crawling-taurus/', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.recordedfuture.com/china-linked-ta428-threat-group', 'https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html', 'https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis', 'https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf', 'https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/'], 'synonyms': ['SPIVY', 'pivy', 'poisonivy']}\n", "Poison RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_rat', 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/']}\n", "Poldat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat', 'https://youtu.be/DDA2uSxjVWY?t=344', 'https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf', 'http://fireeyeday.com/1604/pdf/KeyNote_2.pdf'], 'synonyms': ['KABOB', 'Zlib']}\n", "PolPo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.polpo', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/']}\n", "PolyglotDuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke', 'https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/', 'https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.secureworks.com/research/threat-profiles/iron-hemlock']}\n", "Polyglot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom', 'https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/']}\n", "Pony {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pony', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.secureworks.com/research/threat-profiles/gold-galleon', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/', 'https://www.youtube.com/watch?v=EyDiIAt__dI', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://github.com/nyx0/Pony', 'https://www.youtube.com/watch?v=y8Z9KnL8s8s', 'https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf', 'https://www.youtube.com/watch?v=42yldTQ-fWA', 'https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://www.secureworks.com/research/threat-profiles/gold-evergreen', 'https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection', 'http://www.secureworks.com/research/threat-profiles/gold-essex', 'https://www.knowbe4.com/pony-stealer', 'https://www.secureworks.com/research/threat-profiles/gold-essex', 'http://www.secureworks.com/research/threat-profiles/gold-galleon', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-evergreen', 'https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry', 'https://www.uperesia.com/analysis-of-a-packed-pony-downloader'], 'synonyms': ['Fareit', 'Siplog']}\n", "PoohMilk Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk', 'https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/', 'http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html']}\n", "PoorWeb {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb', 'https://securelist.com/apt-trends-report-q2-2018/86487/', 'https://asec.ahnlab.com/ko/18796/', 'https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats', 'https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf', 'https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019', 'https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/']}\n", "Popcorn Time {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time']}\n", "PortDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.portdoor', 'https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/', 'https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf']}\n", "portless {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.portless', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf']}\n", "poscardstealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer', 'http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf']}\n", "PoshC2 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2', 'http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets', 'https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/', 'https://paper.seebug.org/1301/', 'https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/', 'https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html', 'https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/', 'https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md', 'https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf', 'https://github.com/nettitude/PoshC2_Python/', 'https://redcanary.com/blog/getsystem-offsec/', 'https://www.secureworks.com/research/threat-profiles/cobalt-trinity', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf']}\n", "PoSlurp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp', 'https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/', 'https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf', 'https://twitter.com/just_windex/status/1162118585805758464', 'https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/'], 'synonyms': ['PUNCHTRACK']}\n", "Poulight Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer', 'https://www.youtube.com/watch?v=MaPXDCq-Gf4', 'https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20', 'https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/', 'https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true'], 'synonyms': ['Poullight']}\n", "Povlsomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware', 'https://youtu.be/oYLs6wuoOfg', 'https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html']}\n", "Poweliks {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks', 'https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/', 'https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file', 'https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users']}\n", "POWERBAND {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powerband', 'https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/']}\n", "PowerCat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat', 'https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/', 'https://twitter.com/VK_Intel/status/1141540229951709184', 'https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/']}\n", "PowerDuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke', 'https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/', 'https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/']}\n", "powerkatz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz', 'https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/']}\n", "PowerLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader', 'https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html']}\n", "PowerPool {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool', 'https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/']}\n", "PowerShellRunner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner', 'https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1', 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/']}\n", "Powersniff {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff', 'https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf', 'https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/', 'https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/', 'https://lokalhost.pl/gozi_tree.txt', 'https://content.fireeye.com/m-trends/rpt-m-trends-2017'], 'synonyms': ['PUNCHBUGGY']}\n", "PowerRatankba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://content.fireeye.com/apt/rpt-apt38', 'https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf', 'https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/'], 'synonyms': ['QUICKRIDE.POWER']}\n", "prb_backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor', 'https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html']}\n", "Predator The Thief {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.predator', 'https://www.secureworks.com/research/threat-profiles/gold-galleon', 'https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/', 'https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf', 'https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/', 'https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://securelist.com/a-predatory-tale/89779']}\n", "Prikormka {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka', 'https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf']}\n", "Prilex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex', 'https://www.kaspersky.com/blog/chip-n-pin-cloning/21502', 'https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/']}\n", "PrincessLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker', 'https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/', 'https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/', 'https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/']}\n", "PrivateLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader', 'https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f', 'https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem', 'https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service', 'https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise', 'https://www.youtube.com/watch?v=Ldp7eESQotM', 'https://www.zscaler.com/blogs/security-research/peeking-privateloader', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html', 'https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e', 'https://intel471.com/blog/privateloader-malware', 'https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/']}\n", "PRIVATELOG {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog', 'https://twitter.com/ESETresearch/status/1433819369784610828', 'https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html', 'https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques', 'https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive']}\n", "Project Hook POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.project_hook', 'https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/']}\n", "Prometei (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei', 'https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html', 'https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities', 'https://twitter.com/honeymoon_ioc/status/1494016518694309896', 'https://twitter.com/honeymoon_ioc/status/1494311182550904840']}\n", "Prometheus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.prometheus', 'https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea', 'https://unit42.paloaltonetworks.com/prometheus-ransomware/', 'https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/', 'https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/', 'https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd', 'https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/', 'https://twitter.com/inversecos/status/1441252744258461699?s=20', 'https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html', 'https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware', 'https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd']}\n", "proteus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.proteus', 'https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html']}\n", "Proto8RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.proto8_rat', 'https://github.com/avast/ioc/tree/master/OperationDragonCastling']}\n", "ProtonBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot', 'https://www.youtube.com/watch?v=FttiysUZmDw', 'https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/']}\n", "Prynt Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.prynt_stealer', 'https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed', 'https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/', 'https://twitter.com/vxunderground/status/1519632014361640960']}\n", "PseudoManuscrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt', 'https://asec.ahnlab.com/en/31683/', 'https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/']}\n", "PsiX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.psix', 'https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/', 'https://twitter.com/mesa_matt/status/1035211747957923840', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module', 'https://twitter.com/seckle_ch/status/1169558035649433600', 'https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure']}\n", "PSLogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a', 'https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/'], 'synonyms': ['ECCENTRICBANDWAGON']}\n", "PC Surveillance System {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pss', 'https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/'], 'synonyms': ['PSS']}\n", "Pteranodon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon', 'https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution', 'https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/', 'https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt', 'https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/', 'https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine', 'https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations', 'https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game', 'https://blogs.cisco.com/security/network-footprints-of-gamaredon-group', 'https://blog.threatstop.com/russian-apt-gamaredon-group', 'https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/', 'https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/', 'https://cert.gov.ua/news/46', 'https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021', 'https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf', 'https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html', 'https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/', 'https://attack.mitre.org/groups/G0047', 'https://cert.gov.ua/news/42', 'https://www.elastic.co/blog/playing-defense-against-gamaredon-group', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine', 'https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/'], 'synonyms': ['Pterodo']}\n", "PubNubRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat', 'http://blog.alyac.co.kr/1853', 'https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html']}\n", "Punkey POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/', 'https://www.pandasecurity.com/mediacenter/malware/punkeypos/'], 'synonyms': ['pospunk', 'punkeypos']}\n", "pupy (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html', 'https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/', 'https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html', 'https://www.infinitumit.com.tr/apt-35/', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt', 'https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf', 'https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/', 'https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations', 'https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://github.com/n1nj4sec/pupy', 'https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage'], 'synonyms': ['Patpoopy']}\n", "PureLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker', 'https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e', 'https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/', 'https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md']}\n", "PurpleFox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox', 'https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware', 'https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html', 'https://twitter.com/C0rk1_H/status/1412801973628272641?s=20', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf', 'https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html', 'https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit', 'https://s.tencent.com/research/report/1322.html', 'https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html', 'https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/', 'https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/', 'https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit', 'https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/', 'https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/', 'https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt', 'https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html']}\n", "PurpleWave {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave', 'https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia']}\n", "Pushdo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo', 'https://www.secureworks.com/research/pushdo', 'http://www.secureworks.com/research/threat-profiles/gold-essex', 'http://malware-traffic-analysis.net/2017/04/03/index2.html', 'https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf', 'https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-essex', 'https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/']}\n", "Putabmow {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow']}\n", "puzzlemaker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker', 'https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/']}\n", "PvzOut {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "PwndLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker', 'https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://www.group-ib.com/blog/prolock_evolution', 'https://www.intrinsec.com/egregor-prolock/', 'https://www.group-ib.com/blog/prolock', 'https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://medium.com/s2wlab/operation-synctrek-e5013df8d167', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf', 'https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/', 'https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/', 'https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/', 'https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html', 'https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/', 'https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/', 'https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/'], 'synonyms': ['ProLock']}\n", "pwnpos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos', 'https://twitter.com/physicaldrive0/status/573109512145649664', 'https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/', 'https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html']}\n", "Pykspa {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa', 'https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html', 'https://www.youtube.com/watch?v=HfSQlC76_s4', 'https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/', 'https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/']}\n", "PyLocky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky', 'https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/', 'https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/', 'https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html', 'https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/', 'https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/', 'https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/', 'https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/'], 'synonyms': ['Locky Locker']}\n", "PyXie {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie', 'https://www.secureworks.com/research/threat-profiles/gold-dupont', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/', 'https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx', 'https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.ic3.gov/Media/News/2021/211101.pdf', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/'], 'synonyms': ['PyXie RAT']}\n", "Qaccel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel']}\n", "Qadars {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.johannesbader.ch/2016/04/the-dga-of-qadars/', 'https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan', 'https://securityintelligence.com/an-analysis-of-the-qadars-trojan/', 'https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/', 'https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/']}\n", "QakBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot', 'https://securelist.com/qakbot-technical-analysis/103931/', 'https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf', 'https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks', 'https://www.malwarology.com/posts/3-qakbot-process-injection/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/', 'https://twitter.com/TheDFIRReport/status/1361331598344478727', 'https://www.circl.lu/pub/tr-64/', 'https://malwareandstuff.com/upnp-messing-up-security-since-years/', 'https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/', 'https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html', 'https://www.group-ib.com/blog/prolock_evolution', 'https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html', 'https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/', 'https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/', 'https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://threatresearch.ext.hp.com/detecting-ta551-domains/', 'https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/', 'https://twitter.com/Unit42_Intel/status/1461004489234829320', 'https://www.secureworks.com/research/threat-profiles/gold-lagoon', 'https://www.elastic.co/security-labs/qbot-configuration-extractor', 'https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/', 'https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html', 'https://blog.group-ib.com/prometheus-tds', 'https://twitter.com/_alex_il_/status/1384094623270727685', 'https://www.um.edu.mt/library/oar/handle/123456789/76802', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot', 'https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf', 'http://contagiodump.blogspot.com/2010/11/template.html', 'https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/', 'https://www.malwarology.com/2022/04/qakbot-series-process-injection/', 'https://blog.quosec.net/posts/grap_qakbot_strings/', 'https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf', 'https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/', 'https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html', 'https://www.malwarology.com/posts/4-qakbot-api-hashing/', 'https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/', 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf', 'https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks', 'https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf', 'https://quosecgmbh.github.io/blog/grap_qakbot_strings.html', 'https://content.fireeye.com/m-trends/rpt-m-trends-2020', 'https://redcanary.com/blog/intelligence-insights-december-2021', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf', 'https://www.group-ib.com/blog/egregor', 'https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html', 'https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/', 'https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html', 'https://twitter.com/kienbigmummy/status/1460537501676802051', 'https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/', 'https://isc.sans.edu/diary/rss/26862', 'https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs', 'https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros', 'https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike', 'https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/', 'https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/', 'https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot', 'https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta', 'https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/', 'https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/', 'https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf', 'https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot', 'https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan', 'https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf', 'https://blog.quosec.net/posts/grap_qakbot_navigation/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf', 'https://experience.mandiant.com/trending-evil/p/1', 'https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/', 'https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/', 'https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html', 'https://www.youtube.com/watch?v=4I0LF8Vm7SI', 'https://isc.sans.edu/diary/rss/28728', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf', 'https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware', 'https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7', 'https://hatching.io/blog/reversing-qakbot', 'https://redcanary.com/blog/intelligence-insights-november-2021/', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf', 'https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/', 'https://twitter.com/tylabs/status/1462195377277476871', 'https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.elastic.co/de/security-labs/qbot-malware-analysis', 'https://isc.sans.edu/diary/rss/28568', 'https://twitter.com/Corvid_Cyber/status/1455844008081641472', 'https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/', 'https://www.elastic.co/security-labs/qbot-malware-analysis', 'https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/', 'https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html', 'https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/', 'https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques', 'https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm', 'https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/', 'https://www.atomicmatryoshka.com/post/malware-headliners-qakbot', 'https://www.malwarology.com/2022/04/qakbot-series-api-hashing/', 'https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor', 'https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex', 'https://intel471.com/blog/conti-emotet-ransomware-conti-leaks', 'https://www.youtube.com/watch?v=iB1psRMtlqg', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/', 'https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/', 'https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html', 'https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7', 'https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/', 'https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/', 'https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf', 'https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques', 'https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html', 'https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html', 'https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'http://www.secureworks.com/research/threat-profiles/gold-lagoon', 'https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf', 'https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/', 'https://www.intrinsec.com/egregor-prolock/', 'https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view', 'https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf', 'https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/', 'https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html', 'https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails', 'https://twitter.com/ChouchWard/status/1405168040254316547', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf', 'https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/', 'https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern', 'https://www.youtube.com/watch?v=M22c1JgpG-U', 'https://isc.sans.edu/diary/rss/28448', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/', 'https://www.bitsight.com/blog/emotet-botnet-rises-again', 'https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/', 'https://experience.mandiant.com/trending-evil-2/p/1', 'https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/', 'https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware', 'https://twitter.com/elisalem9/status/1381859965875462144', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4', 'https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise', 'https://www.silentpush.com/blog/malicious-infrastructure-as-a-service', 'https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/', 'https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/', 'https://www.malwarology.com/posts/2-qakbot-conf-extraction/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://twitter.com/redcanary/status/1334224861628039169', 'https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf', 'https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/'], 'synonyms': ['Oakboat', 'Pinkslipbot', 'Qbot', 'Quakbot']}\n", "QHost {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost'], 'synonyms': ['Tolouge']}\n", "QtBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot', 'https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/'], 'synonyms': ['qtproject']}\n", "QuantLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat', 'https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/', 'https://twitter.com/Arkbird_SOLG/status/1458973883068043264', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/']}\n", "Quasar RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat', 'https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html', 'https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/', 'https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign', 'https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/', 'https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers', 'https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat', 'https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/', 'https://blog.minerva-labs.com/trapping-quasar-rat', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/', 'https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite', 'https://twitter.com/struppigel/status/1130455143504318466', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html', 'https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/', 'https://www.antiy.cn/research/notice&report/research_report/20201228.html', 'https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/', 'https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-riverside', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934', 'https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848', 'https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques', 'https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf', 'https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html', 'https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/', 'https://www.secureworks.com/research/threat-profiles/aluminum-saratoga', 'https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html', 'https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/', 'https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525', 'https://blog.reversinglabs.com/blog/rats-in-the-library', 'https://blog.malwarelab.pl/posts/venom/', 'https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/', 'http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments', 'https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf', 'https://intel471.com/blog/privateloader-malware', 'https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/', 'https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf', 'https://blog.ensilo.com/uncovering-new-activity-by-apt10', 'https://twitter.com/malwrhunterteam/status/789153556255342596', 'https://asec.ahnlab.com/en/31089/', 'https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/', 'https://blog.morphisec.com/syk-crypter-discord', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?', 'https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ', 'https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage', 'https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass', 'https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html', 'https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['CinaRAT', 'QuasarRAT', 'Yggdrasil']}\n", "QuickHeal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf', 'https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42']}\n", "QUICKMUTE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.quickmute', 'https://cert.gov.ua/article/375404']}\n", "QuietSieve {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.quietsieve', 'https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/']}\n", "Qulab {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab', 'https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/']}\n", "QvoidStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.qvoidstealer', 'https://github.com/Enum0x539/Qvoid-Token-Grabber'], 'synonyms': ['Qvoid-Token-Grabber']}\n", "r980 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.r980', 'https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/']}\n", "Raccoon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon', 'https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/', 'https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/', 'https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/', 'https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/', 'https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer', 'https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/', 'https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/', 'https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf', 'https://twitter.com/GroupIB_GIB/status/1570821174736850945', 'https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/', 'https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/', 'https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block', 'https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf', 'https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family', 'https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem', 'https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/', 'https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/', 'https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/', 'https://www.group-ib.com/blog/fakesecurity_raccoon', 'https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d', 'https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html', 'https://www.youtube.com/watch?v=5KHZSmBeMps', 'https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/', 'https://www.riskiq.com/blog/labs/magecart-medialand/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf', 'https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/', 'https://www.youtube.com/watch?v=1dbepxN2YD8', 'https://d01a.github.io/raccoon-stealer/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/', 'https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/', 'https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d', 'https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://asec.ahnlab.com/en/35981/', 'https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a', 'https://asec.ahnlab.com/ko/25837/', 'https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram', 'https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d', 'https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/'], 'synonyms': ['Mohazo', 'RaccoonStealer', 'Racealer', 'Racoon']}\n", "Rad {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rad', 'https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf']}\n", "Radamant {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant']}\n", "RadRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat', 'https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/']}\n", "RagnarLocker (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker', 'https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1', 'https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/', 'https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/', 'https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://seguranca-informatica.pt/ragnar-locker-malware-analysis/', 'https://securelist.com/targeted-ransomware-encrypting-data/99255/', 'https://securelist.com/modern-ransomware-groups-ttps/106824/', 'https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/', 'https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf', 'https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information', 'https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html', 'https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html', 'https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.ic3.gov/Media/News/2022/220307.pdf', 'https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/', 'https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/', 'https://www.acronis.com/en-sg/articles/ragnar-locker/', 'https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf', 'https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom', 'https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker', 'http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/', 'https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://twitter.com/AltShiftPrtScn/status/1403707430765273095', 'https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf', 'https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/', 'https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel', 'https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/']}\n", "Ragnarok {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok', 'https://news.sophos.com/en-us/2020/05/21/asnarok2/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf', 'https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw', 'https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "Raindrop {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop', 'https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf', 'https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://www.youtube.com/watch?v=GfbxHy6xnbA', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware', 'https://www.mandiant.com/resources/unc2452-merged-into-apt29', 'https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf', 'https://www.sans.org/webcasts/contrarian-view-solarwinds-119515']}\n", "Rakhni {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni', 'https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/']}\n", "Rambo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo', 'https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-overbrook', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md', 'https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html'], 'synonyms': ['brebsd']}\n", "Ramdo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo']}\n", "Ramnit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit', 'https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/', 'https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/', 'https://www.mandiant.com/resources/pe-file-infecting-malware-ot', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf', 'http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/', 'https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/', 'https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89', 'https://muha2xmad.github.io/unpacking/ramnit/', 'https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html', 'http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html', 'https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest', 'https://www.youtube.com/watch?v=l6ZunH6YG0A', 'https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://research.checkpoint.com/ramnits-network-proxy-servers/', 'https://artik.blue/malware4', 'https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail', 'http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html', 'https://www.youtube.com/watch?v=N4f2e8Mygag', 'http://www.secureworks.com/research/threat-profiles/gold-fairfax', 'https://redcanary.com/resources/webinars/deep-dive-process-injection/'], 'synonyms': ['Nimnul']}\n", "Ramsay {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://www.antiy.cn/research/notice&report/research_report/20200522.html', 'https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/', 'https://www.youtube.com/watch?v=SKIu4LqMrns', 'https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html', 'https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/']}\n", "Ranbyus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus', 'http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html', 'https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/', 'https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/', 'https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf']}\n", "Ranion {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ranion', 'https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas']}\n", "Ranscam {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam', 'http://blog.talosintel.com/2016/07/ranscam.html']}\n", "Ransoc {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc', 'https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles']}\n", "RansomEXX (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx', 'https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3', 'https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/', 'https://github.com/Bleeping/Ransom.exx', 'https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/', 'https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.ic3.gov/Media/News/2021/211101.pdf', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware', 'https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/', 'https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html', 'https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4', 'https://www.youtube.com/watch?v=qxPXxWMI2i4'], 'synonyms': ['Defray777', 'Ransom X']}\n", "Ransomlock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock', 'https://forum.malekal.com/viewtopic.php?t=36485&start=', 'https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2'], 'synonyms': ['WinLock']}\n", "SNC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomware_snc', 'https://yomi.yoroi.company/report/5deea91bac2ea1dcf5337ad8/5deead588a4518a7074dc6e6/overview']}\n", "Rapid Ransom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom', 'https://twitter.com/malwrhunterteam/status/977275481765613569', 'https://twitter.com/malwrhunterteam/status/997748495888076800', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145', 'https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do']}\n", "RapidStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer', 'http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html']}\n", "Rarog {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog', 'https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/', 'https://tracker.fumik0.com/malware/Rarog']}\n", "rarstar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar', 'https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses']}\n", "Raspberry Robin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin', 'https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/', 'https://redcanary.com/blog/raspberry-robin/', 'https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks', 'https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/', 'https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices', 'https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm'], 'synonyms': ['LINK_MSIEXEC', 'QNAP-Worm', 'RaspberryRobin']}\n", "Ratankba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware', 'http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html', 'https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html', 'https://twitter.com/PhysicalDrive0/status/828915536268492800', 'https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/', 'https://www.secureworks.com/research/threat-profiles/nickel-gladstone', 'https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf', 'https://content.fireeye.com/apt/rpt-apt38', 'https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0'], 'synonyms': ['QUICKRIDE']}\n", "RatankbaPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos', 'https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf', 'http://blog.trex.re.kr/3'], 'synonyms': ['RATANKBAPOS']}\n", "RatSnif {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ratsnif', 'https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html', 'https://www.secureworks.com/research/threat-profiles/tin-woodlawn']}\n", "RawPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos', 'http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite', 'https://www.youtube.com/watch?v=fevGZs0EQu8', 'https://threatvector.cylance.com/en_us/home/rawpos-malware.html']}\n", "Razy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.razy', 'https://securelist.com/razy-in-search-of-cryptocurrency/89485/']}\n", "RC2FM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm', 'https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf', 'https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal']}\n", "RCS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs', 'https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/', 'https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines', 'https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/', 'https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/', 'https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?', 'http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html', 'https://www.f-secure.com/documents/996508/1030745/callisto-group', 'https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware', 'https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf', 'http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html'], 'synonyms': ['Crisis', 'Remote Control System']}\n", "RCtrl {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/']}\n", "rdasrv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv', 'https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf']}\n", "RDAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat', 'https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/', 'https://unit42.paloaltonetworks.com/atoms/evasive-serpens/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf'], 'synonyms': ['GREYSTUFF']}\n", "ReactorBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot', 'http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html', 'http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/', 'http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html', 'https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under']}\n", "Reaver {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver', 'https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html', 'https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/']}\n", "RecordBreaker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker', 'https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family', 'https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/', 'https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/', 'https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/', 'https://d01a.github.io/raccoon-stealer/']}\n", "RedAlpha {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha', 'https://www.recordedfuture.com/redalpha-cyber-campaigns/']}\n", "RedLeaves {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves', 'https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-riverside', 'https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/', 'https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html', 'https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf', 'http://blog.macnica.net/blog/2017/12/post-8c22.html', 'https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware', 'https://www.jpcert.or.jp/magazine/acreport-redleaves.html', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf', 'https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf', 'https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'https://www.us-cert.gov/ncas/alerts/TA17-117A', 'http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html'], 'synonyms': ['BUGJUICE']}\n", "RedLine Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer', 'https://muha2xmad.github.io/malware-analysis/fullredline/', 'https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html', 'https://securityscorecard.pathfactory.com/all/a-detailed-analysis', 'https://securityscorecard.com/research/detailed-analysis-redline-stealer', 'https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer', 'https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md', 'https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/', 'https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download', 'https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns', 'https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/', 'https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer', 'https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf', 'https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem', 'https://blog.netlab.360.com/purecrypter', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html', 'https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/', 'https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html', 'https://cyber-anubis.github.io/malware%20analysis/redline/', 'https://unit42.paloaltonetworks.com/bluesky-ransomware/', 'https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/', 'https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/', 'https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html', 'https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/', 'https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/', 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904', 'https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html', 'https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/', 'https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack', 'https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become', 'https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html', 'https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html', 'https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer', 'https://asec.ahnlab.com/en/30445/', 'https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf', 'https://intel471.com/blog/privateloader-malware', 'https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/', 'https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns', 'https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software', 'https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service', 'https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers', 'https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf', 'https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/', 'https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/', 'https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/', 'https://unit42.paloaltonetworks.com/lapsus-group/', 'https://asec.ahnlab.com/en/35981/', 'https://blog.morphisec.com/syk-crypter-discord', 'https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a', 'https://asec.ahnlab.com/ko/25837/', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer', 'https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/', 'https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware', 'https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/']}\n", "Redosdru {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redosdru', 'https://securitynews.sonicwall.com/xmlpost/redosdru-v-malware-that-hides-in-encrypted-dll-files-to-avoid-detection-by-firewalls-may-112016/']}\n", "REDPEPPER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper', 'https://twitter.com/ItsReallyNick/status/1136502701301346305'], 'synonyms': ['Adupib']}\n", "RedRum {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redrum', 'https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html'], 'synonyms': ['Grinch', 'Thanos', 'Tycoon']}\n", "REDSALT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf', 'https://twitter.com/ItsReallyNick/status/1136502701301346305', 'https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf'], 'synonyms': ['Dipsind']}\n", "REDSHAWL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf', 'https://content.fireeye.com/apt/rpt-apt38']}\n", "Redyms {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms', 'https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/']}\n", "Red Alert {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert', 'https://twitter.com/JaromirHorejsi/status/816237293073797121']}\n", "Red Gambler {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler', 'http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf']}\n", "reGeorg {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg', 'https://www.secureworks.com/blog/ransomware-deployed-by-adversary', 'https://www.welivesecurity.com/2022/09/06/worok-big-picture/', 'https://www.secureworks.com/research/samsam-ransomware-campaigns', 'https://sensepost.com/discover/tools/reGeorg/', 'https://github.com/sensepost/reGeorg', 'https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF']}\n", "Regin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.regin', 'https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf', 'https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/', 'https://securelist.com/big-threats-using-code-similarity-part-1/97239/', 'https://www.youtube.com/watch?v=jeLd-gw2bWo', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf', 'https://www.epicturla.com/previous-works/hitb2020-voltron-sta', 'https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments']}\n", "RegretLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker', 'https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/', 'https://twitter.com/malwrhunterteam/status/1321375502179905536', 'http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/']}\n", "RekenSom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rekensom', 'https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html'], 'synonyms': ['GHack Ransomware']}\n", "win.rekoobe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew', 'https://www.mandiant.com/resources/fin13-cybercriminal-mexico', 'https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/'], 'synonyms': ['tinyshell.win', 'tshd.win']}\n", "Rekt Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rektloader', 'https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html']}\n", "Rektware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rektware', 'https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html'], 'synonyms': ['PRZT Ransomware']}\n", "RelicRace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.relic_race', 'https://cert.gov.ua/article/955924']}\n", "RemCom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom', 'https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef', 'http://www.secureworks.com/research/threat-profiles/gold-franklin'], 'synonyms': ['RemoteCommandExecution']}\n", "Remcos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos', 'https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/', 'https://www.connectwise.com/resources/formbook-remcos-rat', 'https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html', 'https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads', 'https://secrary.com/ReversingMalware/RemcosRAT/', 'https://www.youtube.com/watch?v=DIH4SvKuktM', 'https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/', 'https://perception-point.io/behind-the-attack-remcos-rat/', 'https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols', 'https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/', 'https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service', 'https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/', 'https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf', 'https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html', 'https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware', 'https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html', 'https://www.telsy.com/download/4832/', 'https://www.vmray.com/cyber-security-blog/smart-memory-dumping/', 'https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html', 'https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/', 'https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire', 'https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html', 'https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/', 'https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html', 'https://news.sophos.com/en-us/2020/05/14/raticate/', 'https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html', 'https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/', 'https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html', 'https://www.ciphertechsolutions.com/roboski-global-recovery-automation/', 'https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/', 'https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/', 'https://asec.ahnlab.com/en/32376/', 'https://muha2xmad.github.io/unpacking/remcos/', 'https://securityintelligence.com/posts/roboski-global-recovery-automation/', 'https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter', 'https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/', 'https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine', 'https://www.esentire.com/blog/remcos-rat', 'https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf', 'https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt', 'https://intel471.com/blog/privateloader-malware', 'https://asec.ahnlab.com/ko/32101/', 'https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread', 'https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2', 'http://malware-traffic-analysis.net/2017/12/22/index.html', 'https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain', 'https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87', 'https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly', 'https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities', 'https://dissectingmalwa.re/malicious-ratatouille.html', 'https://asec.ahnlab.com/ko/25837/', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers', 'https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD', 'https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing', 'https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns', 'https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/', 'https://muha2xmad.github.io/mal-document/remcosdoc/', 'https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md'], 'synonyms': ['RemcosRAT', 'Remvio', 'Socmer']}\n", "Remexi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi', 'https://www.secureworks.com/research/threat-profiles/cobalt-hickman', 'https://twitter.com/QW5kcmV3/status/1095833216605401088', 'http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf', 'https://securelist.com/chafer-used-remexi-malware/89538/', 'https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf', 'https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions', 'https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets'], 'synonyms': ['CACHEMONEY']}\n", "RemoteAdmin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.remoteadmin', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=hacktool:win32/remoteadmin&ThreatID=2147731874']}\n", "RemoteControl {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.remotecontrolclient', 'https://github.com/frozleaf/RemoteControl'], 'synonyms': ['remotecontrolclient']}\n", "Remsec {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider', 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf', 'https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html', 'https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html', 'https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments']}\n", "Remy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.remy', 'https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html', 'https://www.secureworks.com/research/threat-profiles/tin-woodlawn'], 'synonyms': ['WINDSHIELD']}\n", "Rerdom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom', 'https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf']}\n", "Retadup {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup', 'http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/', 'https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/']}\n", "Retefe (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe', 'https://github.com/Tomasuh/retefe-unpacker', 'https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/', 'https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/', 'https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/', 'https://www.govcert.admin.ch/blog/35/reversing-retefe', 'https://github.com/cocaman/retefe', 'https://www.govcert.admin.ch/blog/33/the-retefe-saga', 'https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe'], 'synonyms': ['Tsukuba', 'Werdlod']}\n", "Retro {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.retro', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/', 'https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/', 'https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html']}\n", "Revenge RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat', 'https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html', 'https://isc.sans.edu/diary/rss/22590', 'https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md', 'https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader', 'https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries', 'https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/', 'https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns', 'https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/', 'https://securelist.com/revengehotels/95229/', 'https://blog.reversinglabs.com/blog/rats-in-the-library', 'https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g', 'https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/', 'https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated', 'https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/', 'https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/', 'https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/', 'https://blogs.360.cn/post/APT-C-44.html', 'https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel', 'https://blog.reversinglabs.com/blog/dotnet-loaders', 'https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html'], 'synonyms': ['Revetrat']}\n", "ReverseRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.reverse_rat', 'https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/', 'https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/', 'https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf']}\n", "Reveton {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.reveton', 'https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/']}\n", "REvil (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.revil', 'https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/', 'https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f', 'https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/', 'https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf', 'https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40', 'https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/', 'https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf', 'https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html', 'https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://www.youtube.com/watch?v=P8o6GItci5w', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/', 'https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/', 'https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident', 'https://intel471.com/blog/changes-in-revil-ransomware-version-2-2', 'https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf', 'https://www.certego.net/en/news/malware-tales-sodinokibi/', 'https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/', 'https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/', 'https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html', 'https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit', 'https://securelist.com/sodin-ransomware/91473/', 'https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80', 'https://twitter.com/resecurity_com/status/1412662343796813827', 'https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/', 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2', 'https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/', 'https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/', 'https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/', 'https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf', 'https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain', 'https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/', 'https://blog.amossys.fr/sodinokibi-malware-analysis.html', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt', 'https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/', 'https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles', 'https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ', 'https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html', 'https://www.youtube.com/watch?v=QYQQUUpU04s', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos', 'https://twitter.com/_alex_il_/status/1412403420217159694', 'https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html', 'https://unit42.paloaltonetworks.com/revil-threat-actors/', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/', 'https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/', 'https://community.riskiq.com/article/3315064b', 'https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/', 'https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox', 'https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html', 'https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope', 'https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/', 'https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya', 'https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/', 'https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/', 'https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html', 'https://twitter.com/SophosLabs/status/1413616952313004040?s=20', 'https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json', 'https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/', 'https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf', 'https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo', 'https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel', 'https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment', 'https://securelist.com/ransomware-world-in-2021/102169/', 'https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html', 'https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89', 'https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil', 'https://home.treasury.gov/news/press-releases/jy0471', 'https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422', 'https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/', 'https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload', 'https://www.connectwise.com/resources/revil-profile', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/', 'https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/', 'https://unit42.paloaltonetworks.com/prometheus-ransomware/', 'https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent', 'https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/', 'https://analyst1.com/file-assets/History-of-REvil.pdf', 'https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf', 'https://www.kaseya.com/potential-attack-on-kaseya-vsa/', 'https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/', 'https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/', 'https://twitter.com/svch0st/status/1411537562380816384', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs', 'https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/', 'https://ke-la.com/will-the-revils-story-finally-be-over/', 'https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/', 'https://twitter.com/VK_Intel/status/1374571480370061312?s=20', 'https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa', 'https://twitter.com/SyscallE/status/1411074271875670022', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil', 'https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf', 'https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/', 'https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities', 'https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/', 'https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/', 'https://www.netskope.com/blog/netskope-threat-coverage-revil', 'https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317', 'https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b', 'https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom', 'https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf', 'https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/', 'https://threatintel.blog/OPBlueRaven-Part1/', 'https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom', 'https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/', 'https://www.secureworks.com/research/lv-ransomware', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801', 'https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights', 'https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/', 'https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/', 'https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version', 'https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin', 'https://twitter.com/LloydLabs/status/1411098844209819648', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/', 'https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/', 'https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/', 'https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf', 'https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/', 'https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack', 'https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/', 'https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/', 'https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/', 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter', 'https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/', 'https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/', 'https://velzart.nl/blog/ransomeware/', 'https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas', 'https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics', 'https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/', 'https://hatching.io/blog/ransomware-part2', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/', 'https://www.youtube.com/watch?v=l2P5CMH9TE0', 'https://twitter.com/VK_Intel/status/1411066870350942213', 'https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/', 'https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain', 'https://twitter.com/R3MRUM/status/1412064882623713283', 'https://vimeo.com/449849549', 'https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions', 'https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/', 'https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend', 'https://blog.group-ib.com/REvil_RaaS', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/', 'https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/', 'https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware', 'https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/', 'https://www.secureworks.com/blog/revil-the-gandcrab-connection', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/', 'https://www.flashpoint-intel.com/blog/revil-disappears-again/', 'https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/', 'https://www.secureworks.com/research/revil-sodinokibi-ransomware', 'https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/', 'https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html', 'https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20', 'https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/', 'https://isc.sans.edu/diary/27012', 'https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/', 'https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis', 'https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/', 'https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-southfield', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.bbc.com/news/technology-59297187', 'https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf', 'https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/', 'https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/', 'https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/', 'https://www.kpn.com/security-blogs/Tracking-REvil.htm', 'https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/', 'https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/', 'https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf', 'https://www.ironnet.com/blog/ransomware-graphic-blog', 'https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/', 'https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/', 'https://asec.ahnlab.com/ko/19640/', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf', 'https://redcanary.com/blog/uncompromised-kaseya/', 'https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/', 'https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout', 'https://www.grahamcluley.com/travelex-paid-ransom/', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view', 'https://threatpost.com/ransomware-revil-sites-disappears/167745/', 'https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/', 'https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf', 'https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html', 'http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html', 'https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html', 'https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html', 'https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/', 'https://twitter.com/fwosar/status/1420119812815138824', 'https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide', 'https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/', 'https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released', 'https://twitter.com/fwosar/status/1411281334870368260', 'http://www.secureworks.com/research/threat-profiles/gold-southfield', 'https://asec.ahnlab.com/ko/19860/', 'https://twitter.com/Jacob_Pimental/status/1391055792774729728', 'https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html', 'https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/', 'https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process', 'https://www.cyjax.com/2021/07/09/revilevolution/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/', 'https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/', 'https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://twitter.com/SophosLabs/status/1412056467201462276', 'https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/', 'https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/', 'https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html', 'https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/', 'https://www.youtube.com/watch?v=tZVFMVm5GAk', 'https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/'], 'synonyms': ['Sodin', 'Sodinokibi']}\n", "RGDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor', 'https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf', 'https://www.secureworks.com/research/threat-profiles/cobalt-lyceum', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/', 'https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran', 'https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae', 'https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/']}\n", "Rhino {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino', 'https://www.vmray.com/cyber-security-blog/rhino-ransomware-malware-analysis-spotlight/']}\n", "RHttpCtrl {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/']}\n", "Rietspoof {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof', 'https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/', 'https://blog.avast.com/rietspoof-malware-increases-activity', 'https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/']}\n", "Rifdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf', 'https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/']}\n", "Rikamanu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu', 'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets']}\n", "Rincux {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf']}\n", "Ripper ATM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm', 'http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/', 'https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf']}\n", "Rising Sun {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf', 'https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf']}\n", "RM3 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3', 'https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/']}\n", "RMS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rms', 'https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/', 'https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf', 'https://blog.yoroi.company/research/ta505-is-expanding-its-operations/', 'https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf', 'https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks', 'https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution', \"https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf\", 'https://awakesecurity.com/blog/catching-the-white-stork-in-flight/'], 'synonyms': ['Gussdoor', 'Remote Manipulator System']}\n", "RobinHood {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood', 'https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf', 'https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/', 'https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/', 'https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/', 'https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/', 'https://twitter.com/VK_Intel/status/1121440931759128576', 'https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/', 'https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/', 'https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/', 'https://goggleheadedhacker.com/blog/post/12', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/'], 'synonyms': ['RobbinHood']}\n", "rock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rock'], 'synonyms': ['yellowalbatross']}\n", "Rockloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf']}\n", "Rofin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin']}\n", "RogueRobinNET {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin', 'https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/', 'https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/']}\n", "Rokku {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku', 'https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/']}\n", "RokRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat', 'http://v3lo.tistory.com/24', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf', 'https://unit42.paloaltonetworks.com/atoms/moldypisces/', 'http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'http://blog.talosintelligence.com/2017/04/introducing-rokrat.html', 'https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/', 'https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf', 'https://www.ibm.com/downloads/cas/Z81AVOY7', 'https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html', 'https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf', 'https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/', 'https://www.youtube.com/watch?v=uoBQE5s2ba4', 'http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html', 'https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/', 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf', 'https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/', 'https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48', 'https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/', 'https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection'], 'synonyms': ['DOGCALL']}\n", "Rombertik {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik', 'http://blogs.cisco.com/security/talos/rombertik'], 'synonyms': ['CarbonGrabber']}\n", "ROMCOM RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat', 'https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/']}\n", "Romeo(Alfa,Bravo, ...) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos']}\n", "Rook {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rook', 'https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/', 'https://seguranca-informatica.pt/rook-ransomware-analysis/', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/', 'https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/']}\n", "Roopirs {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs']}\n", "Roseam {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam', 'http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/'], 'synonyms': ['PisLoader']}\n", "Roshtyak {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.roshtyak', 'https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/']}\n", "RotorCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt', 'https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html', 'https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/'], 'synonyms': ['RotoCrypt', 'Rotor']}\n", "Rover {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rover', 'http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/', 'https://securelist.com/apt-trends-report-q3-2020/99204/']}\n", "Rovnix {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix', 'https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0', 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf', 'https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/', 'http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981', 'https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/', 'https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/', 'http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html', 'http://www.malwaretech.com/2014/05/rovnix-new-evolution.html', 'https://securelist.com/oh-what-a-boot-iful-mornin/97365', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/', 'https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/'], 'synonyms': ['BkLoader', 'Cidox', 'Mayachok']}\n", "RoyalCli {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli', 'https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://github.com/nccgroup/Royal_APT', 'https://www.secureworks.com/research/threat-profiles/bronze-palace']}\n", "Royal DNS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns', 'https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/', 'https://github.com/nccgroup/Royal_APT', 'https://www.secureworks.com/research/threat-profiles/bronze-palace']}\n", "Rozena {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena', 'https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/', 'https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors', 'https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor', 'https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena']}\n", "RTM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm', 'https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/', 'https://www.youtube.com/watch?v=YXnNO3TipvM', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://jonahacks.medium.com/malware-analysis-manual-unpacking-of-redaman-ec1782352cfb', 'http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html', 'https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/'], 'synonyms': ['Redaman']}\n", "rtpos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos', 'https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf', 'http://reversing.fun/posts/2022/01/30/rtpos.html']}\n", "Ruckguv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv', 'https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear']}\n", "Rumish {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish']}\n", "running_rat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat']}\n", "RURansom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ruransom', 'https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html', 'https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html', 'https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/']}\n", "Rurktar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar', 'https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction'], 'synonyms': ['RCSU']}\n", "Rustock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock', 'https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html', 'http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html', 'https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/', 'http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://darknetdiaries.com/episode/110/', 'http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf', 'http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/', 'https://www.secureworks.com/blog/research-21041', 'http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf']}\n", "Ryuk {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk', 'https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption', 'https://community.riskiq.com/article/c88cf7e6', 'https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/', 'https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021', 'https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/', 'https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more', 'https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://twitter.com/SecurityJoes/status/1402603695578157057', 'https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/', 'https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/', 'https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus', 'https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf', 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2', 'https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/', 'https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/', 'https://www.scythe.io/library/threatthursday-ryuk', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf', 'https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware', 'https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/', 'https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders', 'https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox', 'https://blog.cyberint.com/ryuk-crypto-ransomware', 'https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc', 'https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/', 'https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/', 'https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes', 'https://www.crowdstrike.com/blog/wizard-spider-adversary-update/', 'https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf', 'https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets', 'https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware', 'https://twitter.com/Prosegur/status/1199732264386596864', 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html', 'https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/', 'https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp', 'https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/', 'https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/', 'https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/', 'https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf', 'https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/', 'https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike', 'https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/', 'https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/', 'https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf', 'https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html', 'https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/', 'https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv', 'https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/', 'https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes', 'https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html', 'https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://twitter.com/anthomsec/status/1321865315513520128', 'https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/', 'https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/', 'https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/', 'https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html', 'https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf', 'https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/', 'https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/', 'https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/', 'https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/', 'https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/', 'https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/', 'https://thehackernews.com/2022/05/malware-analysis-trickbot.html', 'https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/', 'https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html', 'https://twitter.com/IntelAdvanced/status/1353546534676258816', 'https://www.secureworks.com/research/threat-profiles/gold-ulrick', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf', 'https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/', 'https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html', 'https://www.youtube.com/watch?v=CgDtm05qApE', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/', 'https://www.youtube.com/watch?v=7xxRunBP5XA', 'https://thedfirreport.com/2021/01/31/bazar-no-ryuk/', 'https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html', 'https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html', 'https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf', 'https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/', 'https://github.com/scythe-io/community-threats/tree/master/Ryuk', 'https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/', 'https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/', 'https://twitter.com/SophosLabs/status/1321844306970251265', 'https://www.youtube.com/watch?v=BhjQ6zsCVSc', 'https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects', 'https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/', 'https://arcticwolf.com/resources/blog/karakurt-web', 'https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/', 'https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6', 'https://community.riskiq.com/article/0bcefe76', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/', 'https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/', 'https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon', 'https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/', 'https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/', 'https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/', 'https://www.youtube.com/watch?v=Of_KjNG9DHc', 'https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12', 'https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker', 'https://unit42.paloaltonetworks.com/ryuk-ransomware/', 'https://thedfirreport.com/2020/10/08/ryuks-return/', 'https://blog.reversinglabs.com/blog/hunting-for-ransomware', 'https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware', 'https://twitter.com/ffforward/status/1324281530026524672', 'https://www.hhs.gov/sites/default/files/bazarloader.pdf', 'https://twitter.com/IntelAdvanced/status/1356114606780002308', 'https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://0xchina.medium.com/malware-reverse-engineering-31039450af27', 'https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf', 'https://www.youtube.com/watch?v=HwfRxjV2wok', 'https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/']}\n", "Ryuk Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer', 'https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/', 'https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/', 'https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf', 'https://twitter.com/VK_Intel/status/1171782155581689858'], 'synonyms': ['Sidoh']}\n", "Sadogo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sadogo', 'https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html']}\n", "Saefko {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.saefko', 'https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat']}\n", "SafeNet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.safenet', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf']}\n", "SAGE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom', 'https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/', 'https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga', 'https://www.cert.pl/en/news/single/sage-2-0-analysis/', 'http://malware-traffic-analysis.net/2017/10/13/index.html', 'https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/'], 'synonyms': ['Saga']}\n", "SaiGon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon', 'https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/', 'https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html']}\n", "Saint Bot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot', 'https://cert.gov.ua/article/18419', 'https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/', 'https://unit42.paloaltonetworks.com/atoms/nascentursa/', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/', 'https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/', 'https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/']}\n", "Saitama Backdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.saitama', 'https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html', 'https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt', 'https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/', 'https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738'], 'synonyms': ['Saitama']}\n", "Sakula RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula', 'https://www.secureworks.com/research/sakula-malware-family', 'https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/', 'https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf', 'https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654', 'https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group', 'https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1'], 'synonyms': ['Sakurel']}\n", "Salgorea {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea', 'https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/', 'https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf', 'https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware'], 'synonyms': ['BadCake']}\n", "Sality {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sality', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.mandiant.com/resources/pe-file-infecting-malware-ot', 'https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail', 'https://unit42.paloaltonetworks.com/c2-traffic/', 'https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf', 'https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf', 'https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py']}\n", "SamoRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.samo_rat', 'https://business.xunison.com/analysis-of-samorat/']}\n", "SamSam {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf', 'https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1', 'https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf', 'https://www.secureworks.com/research/samsam-ransomware-campaigns', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/', 'https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/', 'https://www.secureworks.com/research/threat-profiles/gold-lowell', 'https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/', 'https://www.justice.gov/opa/press-release/file/1114746/download', 'http://blog.talosintel.com/2016/03/samsam-ransomware.html', 'https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.secureworks.com/blog/samas-ransomware', 'https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/', 'https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf', 'https://www.secureworks.com/blog/ransomware-deployed-by-adversary', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/', 'https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/', 'https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx', 'http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html', 'https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/'], 'synonyms': ['Samas']}\n", "Sanny {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny', 'http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html', 'https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html']}\n", "SapphireMiner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sapphire_miner', 'https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html']}\n", "SappyCache {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache', 'https://blog.alyac.co.kr/2219', 'https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails', 'https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html', 'https://blog.alyac.co.kr/m/2219', 'https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf']}\n", "Sarhust {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust', 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a', 'https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html', 'https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt'], 'synonyms': ['ENDCMD', 'Hussarini']}\n", "Sasfis {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis', 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis', 'https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/', 'https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign', 'https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx', 'https://www.symantec.com/security-center/writeup/2010-020210-5440-99', 'https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/'], 'synonyms': ['Oficla']}\n", "Satan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.satan', 'https://www.sangfor.com/source/blog-network-security/1094.html', 'http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/', 'https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html', 'https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/', 'https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html', 'https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/', 'https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread', 'https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2'], 'synonyms': ['5ss5c', 'DBGer', 'Lucky Ransomware']}\n", "Satana {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.satana', 'https://blog.reversinglabs.com/blog/retread-ransomware', 'https://www.cylance.com/threat-spotlight-satan-raas']}\n", "Satellite Turla {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla', 'https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/']}\n", "Sathurbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot', 'https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/', 'https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/']}\n", "ScanPOS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos', 'https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware', 'https://securitykitten.github.io/2016/11/15/scanpos.html', 'https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-11-15-scanpos.md']}\n", "Scarabey {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey', 'https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html'], 'synonyms': ['MVP', 'Scarab', 'Scarab-Russian']}\n", "Scarab Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.scarab_ransom', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'http://malware-traffic-analysis.net/2017/11/23/index.html', 'https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/']}\n", "Schneiken {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken', 'https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb', 'https://github.com/vithakur/schneiken']}\n", "Scieron {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.scieron', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363', 'https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine', 'https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/']}\n", "Scote {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.scote', 'https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/']}\n", "Scranos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos', 'https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf', 'https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/']}\n", "ScreenLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker', 'https://twitter.com/struppigel/status/791535679905927168']}\n", "SDBbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://vblocalhost.com/uploads/VB2020-Jung.pdf', 'https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader', 'https://github.com/Tera0017/SDBbot-Unpacker', 'https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-tahoe', 'https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector']}\n", "SEADADDY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy', 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/', 'https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/', 'https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/'], 'synonyms': ['SeaDuke', 'Seadask']}\n", "SeaSalt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "SectopRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat', 'https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html', 'https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers'], 'synonyms': ['1xxbot', 'ArechClient']}\n", "SeDll {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll', 'https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html', 'https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets', 'https://www.secureworks.com/research/threat-profiles/bronze-mohawk', 'https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/']}\n", "Sedreco {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco', 'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/', 'https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf', 'https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/', 'https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf', 'http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf'], 'synonyms': ['azzy', 'eviltoss']}\n", "Seduploader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf', 'https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed', 'https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/', 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/', 'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/', 'https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/', 'https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/', 'https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf', 'https://securelist.com/a-slice-of-2017-sofacy-activity/83930/', 'https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/', 'https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/', 'http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html', 'http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/', 'https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html', 'https://blog.xpnsec.com/apt28-hospitality-malware-part-2/', 'https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/'], 'synonyms': ['GAMEFISH', 'carberplike', 'downrage', 'jhuhugit', 'jkeyskw']}\n", "seinup {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.seinup', 'https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html']}\n", "Sekhmet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet', 'https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html', 'https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/', 'https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/', 'https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/']}\n", "SelfMake Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.selfmake', 'https://twitter.com/8th_grey_owl/status/1481433481485844483']}\n", "SendSafe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe', 'https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf', 'https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618']}\n", "SepSys {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys', 'https://id-ransomware.blogspot.com/2020/02/sepsys-ransomware.html'], 'synonyms': ['Silvertor Ransomware']}\n", "Sepulcher {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher', 'https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global', 'https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic']}\n", "Serpico {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico']}\n", "ServHelper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper', 'https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware', \"https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf\", 'https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/', 'https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf', 'https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/', 'https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.secureworks.com/research/threat-profiles/gold-tahoe', 'https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://insights.oem.avira.com/ta505-apt-group-targets-americas/', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners', 'https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/', 'https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html', 'https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf', 'https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/']}\n", "SessionManager {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.session_manager', 'https://securelist.com/the-sessionmanager-iis-backdoor/106868/']}\n", "Sfile {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sfile', 'https://twitter.com/GrujaRS/status/1296856836944076802?s=20', 'https://id-ransomware.blogspot.com/2020/02/sfile2-ransomware.html', 'https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/'], 'synonyms': ['Escal', 'Morseop']}\n", "shadowhammer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer', 'https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf', 'https://norfolkinfosec.com/the-first-stage-of-shadowhammer/', 'https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/', 'https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/', 'https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html', 'https://www.youtube.com/watch?v=T5wPwvLrBYU', 'https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://blog.reversinglabs.com/blog/forging-the-shadowhammer', 'https://mauronz.github.io/shadowhammer-backdoor', 'https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/', 'https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://securelist.com/operation-shadowhammer/89992/', 'https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html', 'https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/'], 'synonyms': ['DAYJOB']}\n", "ShadowPad {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad', 'https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf', 'https://www.welivesecurity.com/2022/09/06/worok-big-picture/', 'https://www.ic3.gov/Media/News/2021/211220.pdf', 'https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html', 'https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/', 'https://www.youtube.com/watch?v=55kaaMGBARM', 'https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/', 'https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/', 'https://www.recordedfuture.com/redecho-targeting-indian-power-sector/', 'https://www.youtube.com/watch?v=r1zAVX_HnJg', 'https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf', 'https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf', 'https://community.riskiq.com/article/d8b749f2', 'https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf', 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/', 'https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf', 'https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments', 'https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html', 'https://therecord.media/redecho-group-parks-domains-after-public-exposure/', 'https://www.secureworks.com/research/shadowpad-malware-analysis', 'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/', 'https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://securelist.com/shadowpad-in-corporate-networks/81432/', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf', 'https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf', 'https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage', 'https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html', 'https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/', 'https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/', 'https://attack.mitre.org/groups/G0096', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/', 'https://www.youtube.com/watch?v=IRh6R8o1Q7U', 'https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf', 'https://www.youtube.com/watch?v=_fstHQSK-kk', 'https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf', 'https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf'], 'synonyms': ['POISONPLUG.SHADOW', 'XShellGhost']}\n", "Shakti {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti', 'https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/', 'https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/']}\n", "SHAPESHIFT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift', 'https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html']}\n", "shareip {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip', 'https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong'], 'synonyms': ['remotecmd']}\n", "Shark {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shark', 'https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/', 'https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf']}\n", "SharpBeacon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpbeacon', 'https://github.com/mai1zhi2/SharpBeacon']}\n", "SHARPKNOT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot', 'https://eromang.zataz.com/tag/agentbase-exe/', 'https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf'], 'synonyms': ['Bitrep']}\n", "SharpMapExec {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpmapexec', 'https://github.com/cube0x0/SharpMapExec']}\n", "SharpStage {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage', 'https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/', 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf', 'https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign'], 'synonyms': ['LastConn']}\n", "SHARPSTATS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstats', 'https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf']}\n", "ShellClient RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shellclient', 'https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/', 'https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms'], 'synonyms': ['GhostShell']}\n", "ShellLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker', 'https://twitter.com/JaromirHorejsi/status/813726714228604928']}\n", "Shifu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/', 'http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/', 'https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan']}\n", "Shim RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat', 'https://www.secureworks.com/research/threat-profiles/bronze-walker', 'https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf']}\n", "SHIPSHAPE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf']}\n", "Shujin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin', 'https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/']}\n", "Shurl0ckr {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications']}\n", "Shylock {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock', 'https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/', 'https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw', 'https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware', 'https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html', 'https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware', 'https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/'], 'synonyms': ['Caphaw']}\n", "SideTwist {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sidetwist', 'https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/']}\n", "SideWalk (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk', 'https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware', 'https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf'], 'synonyms': ['ScrambleCross']}\n", "SideWinder (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder', 'https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html', 'https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf', 'https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c', 'https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/', 'https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c', 'https://s.tencent.com/research/report/479.html', 'https://www.secrss.com/articles/26507', 'https://s.tencent.com/research/report/659.html', 'https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/']}\n", "SiennaBlue {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_blue', 'https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware', 'https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/'], 'synonyms': ['H0lyGh0st', 'HolyLocker']}\n", "SiennaPurple {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_purple', 'https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware', 'https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/'], 'synonyms': ['H0lyGh0st', 'HolyLocker']}\n", "Sierra(Alfa,Bravo, ...) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware', 'https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks', 'https://www.secureworks.com/research/threat-profiles/nickel-academy', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4', 'https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group', 'https://www.us-cert.gov/ncas/alerts/TA14-353A'], 'synonyms': ['Destover']}\n", "Siggen6 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6']}\n", "sihost {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sihost', 'https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/']}\n", "Silence {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.silence', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf', 'https://securelist.com/the-silence/83009/', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'http://www.intezer.com/silenceofthemoles/', 'https://reaqta.com/2019/01/silence-group-targeting-russian-banks/', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf', 'https://github.com/Tera0017/TAFOF-Unpacker', 'https://www.youtube.com/watch?v=FttiysUZmDw', 'https://www.group-ib.com/resources/threat-research/silence.html', 'https://norfolkinfosec.com/some-notes-on-the-silence-proxy/', 'https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/'], 'synonyms': ['TrueBot']}\n", "Silon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.silon', 'http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm', 'http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html']}\n", "Siluhdur {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur']}\n", "Simda {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.simda', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/', 'https://www.youtube.com/watch?v=u2HEGDzd8KM', 'https://secrary.com/ReversingMalware/iBank/'], 'synonyms': ['iBank']}\n", "SimpleFileMover {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover', 'https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators']}\n", "Sinowal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.recordedfuture.com/turla-apt-infrastructure/', 'https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan', 'https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/', 'https://en.wikipedia.org/wiki/Torpig'], 'synonyms': ['Anserin', 'Mebroot', 'Quarian', 'Theola', 'Torpig']}\n", "Sisfader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader', 'https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/', 'https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4']}\n", "Skimer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.skimer', 'http://atm.cybercrime-tracker.net/index.php', 'https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html']}\n", "SkinnyBoy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.skinnyboy', 'https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf', 'https://cybergeeks.tech/skinnyboy-apt28/']}\n", "skip-2.0 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20', 'https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/']}\n", "Skipper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper', 'https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf', 'https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/', 'https://securelist.com/shedding-skin-turlas-fresh-faces/88069/', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf', 'https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/'], 'synonyms': ['Kotel']}\n", "Skyplex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex']}\n", "Slave {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.slave', 'https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/']}\n", "SLICKSHOES {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes', 'https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-045b']}\n", "Slingshot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot', 'https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/', 'https://securelist.com/apt-slingshot/84312/', 'https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf', 'https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/']}\n", "Sliver {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver', 'https://github.com/BishopFox/sliver', 'https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf', 'https://www.telsy.com/download/5900/?uid=b797afdcfb', 'https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/', 'https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike', 'https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks', 'https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/']}\n", "SlothfulMedia {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a', 'https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/'], 'synonyms': ['QueenOfClubs']}\n", "SLUB {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.slub', 'https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf', 'https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/', 'https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf']}\n", "smac {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smac', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-express'], 'synonyms': ['speccom']}\n", "Smackdown {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smackdown', 'https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2013/2013.05.20.Operation_Hangover/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf']}\n", "SManager {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1', 'https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html', 'https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html', 'https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/', 'https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4', 'https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html', 'https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager', 'https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html', 'https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/', 'https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214', 'https://blog.group-ib.com/task'], 'synonyms': ['PhantomNet']}\n", "SmartEyes {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smarteyes', 'https://www.virustotal.com/gui/file/4eb840617883bf6ed7366242ffee811ad5ea3d5bfd2a589a96d6ee9530690d28/details']}\n", "SMAUG {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug', 'https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service', 'https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html']}\n", "SMOKEDHAM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smokedham', 'https://www.mandiant.com/resources/burrowing-your-way-into-vpns', 'https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise', 'https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html']}\n", "SmokeLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://www.cert.pl/en/news/single/dissecting-smoke-loader/', 'https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/', 'https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html', 'https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html', 'https://x0r19x91.in/malware-analysis/smokeloader/', 'http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities', 'https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html', 'https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/', 'https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis', 'https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.silentpush.com/blog/privacy-tools-not-for-you', 'https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html', 'https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view', 'https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html', 'https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html', 'https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/', 'http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html', 'https://asec.ahnlab.com/en/33600/', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/', 'https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait', 'https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe', 'https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/', 'https://research.checkpoint.com/2019-resurgence-of-smokeloader/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/', 'https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor', 'https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer', 'https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries', 'https://suvaditya.one/malware-analysis/smokeloader/', 'https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/', 'https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/', 'https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign', 'https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md', 'https://hatching.io/blog/tt-2020-08-27/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/', 'https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft', 'https://intel471.com/blog/privateloader-malware', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/', 'https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service', 'https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/', 'https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a', 'https://m.alvar.es/2020/06/unpacking-smokeloader-and.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886', 'https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/', 'https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html', 'http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html', 'https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/', 'https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo', 'https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/', 'https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer'], 'synonyms': ['Dofoil', 'Sharik', 'Smoke', 'Smoke Loader']}\n", "Smominru {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru', 'http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/', 'https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators'], 'synonyms': ['Ismo']}\n", "Smrss32 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32', 'https://www.youtube.com/watch?v=7gCU31ScJgk', 'https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/']}\n", "Sn0wsLogger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sn0wslogger', 'https://twitter.com/struppigel/status/1354806038805897216']}\n", "Snake {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.snake', 'https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md', 'https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/', 'https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf', 'https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017', 'https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware/', 'https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/', 'https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems', 'https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/', 'https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/', 'https://twitter.com/bad_packets/status/1270957214300135426', 'https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware', 'https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/', 'https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot', 'https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html', 'https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/', 'https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html', 'https://www.goggleheadedhacker.com/blog/post/22', 'https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/', 'https://twitter.com/milkr3am/status/1270019326976786432', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/', 'https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf', 'https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/'], 'synonyms': ['EKANS', 'SNAKEHOSE']}\n", "Snatch {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch', 'https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access', 'https://twitter.com/VK_Intel/status/1191414501297528832', 'https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://thedfirreport.com/2020/06/21/snatch-ransomware/', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md', 'https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/']}\n", "SnatchCrypto {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto', 'https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf', 'https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/']}\n", "SnatchLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader', 'https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/', 'https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/', 'https://www.youtube.com/watch?v=k3sM88o_maM', 'https://twitter.com/VK_Intel/status/898549340121288704', 'https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/']}\n", "SNEEPY {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy', 'https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/'], 'synonyms': ['ByeByeShell']}\n", "Snifula {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula', 'https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/', 'https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html', 'https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/'], 'synonyms': ['Ursnif']}\n", "Snojan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan', 'https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9']}\n", "SNS Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker']}\n", "Sobaken {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken', 'https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/']}\n", "Sobig {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig', 'http://edition.cnn.com/2003/TECH/internet/08/21/sobig.virus/index.html'], 'synonyms': ['Palyh']}\n", "Socelars {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars', 'https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html', 'https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/', 'https://twitter.com/VK_Intel/status/1201584107928653824', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/']}\n", "Sockbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sockbot', 'https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/', 'https://www.youtube.com/watch?v=CAMnuhg-Qos', 'https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html', 'https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf']}\n", "Socks5 Systemz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz']}\n", "SocksBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf', 'https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf', 'https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf', 'https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf', 'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'], 'synonyms': ['BIRDDOG', 'Nadrac']}\n", "SodaMaster {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks', 'https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/', 'https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf', 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader', 'https://securelist.com/apt-trends-report-q1-2021/101967/', 'https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf'], 'synonyms': ['DelfsCake', 'HEAVYPOT', 'dfls']}\n", "Solarbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot', 'https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/', 'https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/', 'https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/'], 'synonyms': ['Napolar']}\n", "solarmarker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker', 'https://twitter.com/MsftSecIntel/status/1403461397283950597', 'https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/', 'https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction', 'https://unit42.paloaltonetworks.com/solarmarker-malware/', 'https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more', 'https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/', 'https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf', 'https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise', 'https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer', 'https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/', 'https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/', 'https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer', 'https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html', 'https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/', 'https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire', 'https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker'], 'synonyms': ['Jupyter', 'Polazert', 'Yellow Cockatoo']}\n", "SolidBit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.solidbit', 'https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html']}\n", "SombRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat', 'https://blogs.blackberry.com/en/2021/05/threat-thursday-sombrat-always-leave-yourself-a-backdoor', 'https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced']}\n", "Sorano {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sorano', 'https://github.com/Alexuiop1337/SoranoStealer', 'https://github.com/3xp0rt/SoranoStealer', 'https://3xp0rt.xyz/lpmkikVic']}\n", "soraya {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya', 'https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper']}\n", "SoreFang {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sorefang', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a', 'https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf', 'https://securelist.com/apt-trends-report-q3-2020/99204/']}\n", "Sorgu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu', 'https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east']}\n", "Soul {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.soul', 'https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware'], 'synonyms': ['SoulSearcher']}\n", "SOUNDBITE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite', 'https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx', 'https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A', 'https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/', 'https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf', 'https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/', 'https://www.secureworks.com/research/threat-profiles/tin-woodlawn', 'https://attack.mitre.org/wiki/Software/S0157', 'https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html', 'https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection'], 'synonyms': ['denis']}\n", "SPACESHIP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf']}\n", "Spark {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spark', 'https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one', 'https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign', 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf', 'https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east', 'https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/']}\n", "Sparkle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sparkle', 'https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html']}\n", "Sparksrv {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sparksrv', 'https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan']}\n", "SparrowDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door', 'https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf', 'https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/'], 'synonyms': ['FamousSparrow']}\n", "Spartacus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spartacus', 'https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html']}\n", "Spectre Rat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spectre', 'https://yoroi.company/research/spectre-v4-0-the-speed-of-malware-threats-after-the-pandemics/']}\n", "Spedear {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear', 'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets']}\n", "Spicy Hot Pot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spicyhotpot', 'https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/']}\n", "SPIDERPIG RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat', 'https://twitter.com/nahamike01/status/1471496800582664193?s=20', 'https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf']}\n", "Spora {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom', 'https://github.com/MinervaLabsResearch/SporaVaccination', 'https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/', 'https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas', 'https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware', 'https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/', 'http://malware-traffic-analysis.net/2017/01/17/index2.html']}\n", "SpyBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot']}\n", "Spyder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder', 'https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/', 'https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf', 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/', 'https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive', 'https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques', 'https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf', 'https://vms.drweb.com/virus/?i=23648386']}\n", "SpyEye {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/', 'https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html', 'https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/', 'http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html', 'https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals', 'https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html', 'https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot', 'https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/']}\n", "Squirrelwaffle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle', 'https://www.malware-traffic-analysis.net/2021/09/17/index.html', 'https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/', 'https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike', 'https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/', 'https://redcanary.com/blog/intelligence-insights-november-2021/', 'https://twitter.com/Max_Mal_/status/1442496131410190339', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://redcanary.com/blog/intelligence-insights-december-2021', 'https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader', 'https://www.cynet.com/understanding-squirrelwaffle/', 'https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html', 'https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/', 'https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike', 'https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9', 'https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/', 'https://www.youtube.com/watch?v=9X2P7aFKSw0', 'https://twitter.com/jhencinski/status/1464268732096815105', 'https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan', 'https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html', 'https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/', 'https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot', 'https://security-soup.net/squirrelwaffle-maldoc-analysis/', 'https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf'], 'synonyms': ['DatopLoader']}\n", "SquirtDanger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger', 'https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/']}\n", "SSHNET {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sshnet', 'https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices', 'https://www.crowdstrike.com/blog/who-is-pioneer-kitten/', 'https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf']}\n", "SslMM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://securelist.com/analysis/publications/69953/the-naikon-apt/', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf']}\n", "Stabuniq {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq', 'https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers', 'http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html']}\n", "StalinLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stalin_locker', 'https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/'], 'synonyms': ['StalinScreamer']}\n", "Stampedo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo', 'https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/']}\n", "StarCruft {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft', 'https://securelist.com/operation-daybreak/75100/']}\n", "StarLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader', 'https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments']}\n", "StarsyPound {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "StartPage {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage', 'https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page'], 'synonyms': ['Easy Television Access Now']}\n", "STASHLOG {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog', 'https://twitter.com/ESETresearch/status/1433819369784610828', 'https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html', 'https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques', 'https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive']}\n", "StealBit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit', 'https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool', 'https://twitter.com/r3c0nst/status/1425875923606310913', 'https://securelist.com/new-ransomware-trends-in-2022/106457/', 'https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/'], 'synonyms': ['Corrempa']}\n", "Stealer0x3401 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stealer_0x3401', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks']}\n", "StealthWorker Go {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker', 'https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/', 'https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/']}\n", "SteamHide {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.steamhide', 'https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images']}\n", "StegoLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader', 'https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer']}\n", "Stinger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger']}\n", "StoneDrill {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stonedrill', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage']}\n", "STOP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stop', 'https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/', 'https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list', 'https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/', 'https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b', 'https://securelist.com/keypass-ransomware/87412/', 'https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/', 'https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads', 'https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/', 'https://angle.ankura.com/post/102het9/the-stop-ransomware-variant', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a', 'https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://intel471.com/blog/privateloader-malware'], 'synonyms': ['Djvu', 'KeyPass']}\n", "Stration {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stration']}\n", "Stresspaint {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint', 'https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/', 'https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/', 'https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/', 'https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/']}\n", "StrifeWater RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat', 'https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard', 'https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations']}\n", "StrongPity {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity', 'https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/', 'https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html', 'https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf', 'https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/', 'https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg', 'https://twitter.com/physicaldrive0/status/786293008278970368', 'https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4', 'https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation', 'https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity', 'https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA', 'https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara', 'https://blogs.blackberry.com/en/2021/11/zebra2104', 'https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/']}\n", "Stuxnet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet', 'https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf', 'https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html', 'https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper', 'https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf', 'http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html', 'https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147', 'https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf', 'https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/', 'https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet']}\n", "Subzero {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.subzero', 'https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf', 'https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/', 'https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html', 'https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/'], 'synonyms': ['Corelump', 'Jumplump']}\n", "SUCEFUL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.suceful', 'https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html', 'https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf']}\n", "Sugar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sugar', 'https://cyware.com/news/newly-found-sugar-ransomware-is-now-being-offered-as-raas-641cfa69', 'https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49', 'https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb']}\n", "SUGARDUMP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sugardump', 'https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping']}\n", "SUGARRUSH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sugarrush', 'https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping']}\n", "SUNBURST {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst', 'https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/', 'https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack', 'https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons', 'https://www.youtube.com/watch?v=JoMwrkijTZ8', 'https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/', 'https://www.mandiant.com/resources/unc2452-merged-into-apt29', 'https://youtu.be/Ta_vatZ24Cs?t=59', 'https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident', 'https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack', 'https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html', 'https://pastebin.com/6EDgCKxd', 'https://github.com/RedDrip7/SunBurst_DGA_Decode', 'https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#', 'https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html', 'https://twitter.com/cybercdh/status/1338885244246765569', 'https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug', 'https://www.youtube.com/watch?v=-Vsgmw2G4Wo', 'https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst', 'https://github.com/SentineLabs/SolarWinds_Countermeasures', 'https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/', 'https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/', 'https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS', 'https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/', 'https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/', 'https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/', 'https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/', 'https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection', 'https://www.mimecast.com/blog/important-security-update/', 'https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs', 'https://www.youtube.com/watch?v=dV2QTLSecpc', 'https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html', 'https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards', 'https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach', 'https://www.solarwinds.com/securityadvisory/faq', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha', 'https://github.com/sophos-cybersecurity/solarwinds-threathunt', 'https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html', 'https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack', 'https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/', 'https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/', 'https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure', 'https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/', 'https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/', 'https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/', 'https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html', 'https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/', 'https://securelist.com/sunburst-backdoor-kazuar/99981/', 'https://netresec.com/?b=211f30f', 'https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/', 'https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q', 'https://www.youtube.com/watch?v=cMauHTV-lJg', 'https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/', 'https://www.mandiant.com/media/10916/download', 'https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims', 'https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/', 'https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html', 'https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/', 'https://unit42.paloaltonetworks.com/atoms/solarphoenix/', 'https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/', 'https://twitter.com/0xrb/status/1339199268146442241', 'https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f', 'https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/', 'https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more', 'https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html', 'https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign', 'https://twitter.com/Intel471Inc/status/1339233255741120513', 'https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view', 'https://www.youtube.com/watch?v=GfbxHy6xnbA', 'https://twitter.com/megabeets_/status/1339308801112027138', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/', 'https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://twitter.com/ItsReallyNick/status/1338382939835478016', 'https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095', 'https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution', 'https://twitter.com/cybercdh/status/1338975171093336067', 'https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html', 'https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/', 'https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306', 'https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection', 'https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/', 'https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf', 'https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware', 'https://www.mimecast.com/incident-report/', 'https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/', 'https://twitter.com/cybercdh/status/1339241246024404994', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610', 'https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware', 'https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947', 'https://twitter.com/FireEye/status/1339295983583244302', 'https://www.comae.com/posts/sunburst-memory-analysis/', 'https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/', 'https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/', 'https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json', 'https://community.riskiq.com/article/9a515637', 'https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/', 'https://github.com/fireeye/sunburst_countermeasures', 'https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/', 'https://www.solarwinds.com/securityadvisory', 'https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en', 'https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation', 'https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar', 'https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf', 'https://netresec.com/?b=212a6ad', 'https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a', 'https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html', 'https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline', 'https://www.brighttalk.com/webcast/7451/469525', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds', 'https://netresec.com/?b=2113a6a', 'https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data', 'https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack', 'https://us-cert.cisa.gov/remediating-apt-compromised-networks', 'https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html', 'https://us-cert.cisa.gov/ncas/alerts/aa21-077a', 'https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc', 'https://www.cisa.gov/supply-chain-compromise', 'https://www.sans.org/webcasts/contrarian-view-solarwinds-119515', 'https://us-cert.cisa.gov/ncas/alerts/aa20-352a', 'https://twitter.com/KimZetter/status/1338305089597964290', 'https://netresec.com/?b=211cd21', 'https://github.com/fireeye/Mandiant-Azure-AD-Investigator', 'https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718', 'https://youtu.be/SW8kVkwDOrc?t=24706', 'https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth', 'https://www.brighttalk.com/webcast/7451/462719', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control', 'https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a', 'https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/', 'https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm', 'https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/', 'https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html', 'https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/', 'https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf', 'https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html', 'https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware', 'https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/', 'https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/', 'https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software', 'https://www.4hou.com/posts/KzZR', 'https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action', 'https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714', 'https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks', 'https://github.com/cisagov/CHIRP', 'https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response', 'https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/', 'https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/', 'https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf', 'https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/', 'https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/', 'https://www.cadosecurity.com/post/responding-to-solarigate', 'https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection', 'https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities', 'https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf', 'https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/', 'https://www.fireeye.com/current-threats/sunburst-malware.html', 'https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate', 'https://us-cert.cisa.gov/ncas/alerts/aa21-008a', 'https://www.youtube.com/watch?v=LA-XE5Jy2kU', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update', 'https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q', 'https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/', 'https://twitter.com/lordx64/status/1338526166051934213', 'https://www.youtube.com/watch?v=mbGN1xqy1jY'], 'synonyms': ['Solorigate']}\n", "SunCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/', 'https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83', 'https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/', 'https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound', 'https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion', 'https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/', 'https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt', 'https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022', 'https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf', 'https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/', 'https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/', 'https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/', 'https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html', 'https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/', 'https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer', 'https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel']}\n", "SunOrcal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal', 'http://pwc.blogs.com/cyber_security_updates/2016/03/index.html', 'https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/']}\n", "SunSeed {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sunseed', 'https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails', 'https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware']}\n", "SUPERNOVA {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova', 'https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group', 'https://www.youtube.com/watch?v=7WX5fCEzTlA', 'https://unit42.paloaltonetworks.com/solarstorm-supernova', 'https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html', 'https://twitter.com/MalwareRE/status/1342888881373503488', 'https://unit42.paloaltonetworks.com/solarstorm-supernova/', 'https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html', 'https://github.com/fireeye/sunburst_countermeasures', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a', 'https://www.solarwinds.com/securityadvisory', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a', 'https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html', 'https://www.anquanke.com/post/id/226029', 'https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis', 'https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/', 'https://www.solarwinds.com/securityadvisory/faq', 'https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/', 'https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan', 'https://us-cert.cisa.gov/ncas/alerts/aa21-008a', 'https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html', 'https://github.com/fireeye/sunburst_countermeasures/pull/5', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/']}\n", "SuppoBox {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox', 'https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf', 'https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim', 'https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1', 'https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us', 'https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf'], 'synonyms': ['Bayrob', 'Nivdort']}\n", "surtr {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.surtr', 'https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/']}\n", "SVCReady {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready', 'https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/', 'https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/']}\n", "swen {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.swen', 'https://en.wikipedia.org/wiki/Swen_(computer_worm)']}\n", "Sword {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sword', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "sykipot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf', 'https://www.alienvault.com/blogs/labs-research/sykipot-is-back', 'https://community.rsa.com/thread/185437', 'https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/', 'https://www.secureworks.com/research/threat-profiles/bronze-edison', 'https://www.symantec.com/connect/blogs/sykipot-attacks'], 'synonyms': ['Wkysol', 'getkys']}\n", "SynAck {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.synack', 'https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/', 'https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/']}\n", "SyncCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt', 'https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/']}\n", "SynFlooder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "Synth Loader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader']}\n", "Sys10 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://securelist.com/analysis/publications/69953/the-naikon-apt/', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf']}\n", "Syscon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon', 'https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/', 'https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/', 'http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/']}\n", "SysGet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget', 'http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf', 'http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/']}\n", "SysJoker (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker', 'https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/', 'https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/', 'https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html']}\n", "SysKit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit', 'https://twitter.com/QW5kcmV3/status/1176861114535165952', 'https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897', 'https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media', 'https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/', 'https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain', 'https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html'], 'synonyms': ['IvizTech', 'MANGOPUNCH']}\n", "Sysraw Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer', 'https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/', 'https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/'], 'synonyms': ['Clipsa']}\n", "Sysrv-hello (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sysrv_hello', 'https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/', 'https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet']}\n", "SysScan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan']}\n", "SystemBC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc', 'https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/', 'https://news.sophos.com/en-us/2020/12/16/systembc/', 'https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders', 'https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/', 'https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/', 'https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html', 'https://asec.ahnlab.com/en/33600/', 'https://www.bitsight.com/blog/emotet-botnet-rises-again', 'https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6', 'https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor', 'https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/', 'https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-249a', 'https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis', 'https://www.mandiant.com/resources/chasing-avaddon-ransomware', 'https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'], 'synonyms': ['Coroxy']}\n", "Szribi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'https://www.secureworks.com/research/srizbi', 'https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html', 'https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel']}\n", "TabMsgSQL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "taidoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor', 'https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf', 'https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html', 'https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html', 'https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1'], 'synonyms': ['simbot']}\n", "TAINTEDSCRIBE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.taintedscribe', 'https://blog.reversinglabs.com/blog/hidden-cobra', 'https://www.us-cert.gov/ncas/analysis-reports/ar20-133b']}\n", "Taleret {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret', 'http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html', 'https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html']}\n", "Tandfuy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy']}\n", "Tapaoux {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux']}\n", "TargetCompany {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.targetcompany', 'https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/', 'https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/', 'https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html', 'https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html'], 'synonyms': ['Tohnichi']}\n", "Tarsip {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "Taurus Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer', 'https://www.zscaler.com/blogs/research/taurus-new-stealer-town', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/an-in-depth-analysis-of-the-new-taurus-stealer/', 'https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md', 'https://blog.minerva-labs.com/taurus-stealers-evolution']}\n", "TClient {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient', 'https://twitter.com/stvemillertime/status/1266050369370677249'], 'synonyms': ['FIRESHADOW']}\n", "tDiscoverer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer', 'https://www.youtube.com/watch?v=UE9suwyuic8', 'https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf', 'https://securityintelligence.com/hammertoss-what-me-worry/'], 'synonyms': ['HAMMERTOSS', 'HammerDuke']}\n", "TDTESS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess', 'http://www.clearskysec.com/tulip/']}\n", "TeamBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot', 'https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/'], 'synonyms': ['FINTEAM']}\n", "TeamSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy', 'https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/', 'https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent', 'https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer', 'https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging'], 'synonyms': ['TVRAT', 'TVSPY', 'TeamViewerENT']}\n", "TEARDROP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop', 'https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack', 'https://www.brighttalk.com/webcast/7451/462719', 'https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf', 'https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/', 'https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware', 'https://www.mandiant.com/resources/unc2452-merged-into-apt29', 'https://twitter.com/craiu/status/1339954817247158272', 'https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html', 'https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html', 'https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/', 'https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware', 'https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/', 'https://github.com/fireeye/sunburst_countermeasures', 'https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714', 'https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/', 'https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/', 'https://unit42.paloaltonetworks.com/atoms/solarphoenix/', 'https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/', 'https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline', 'https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds', 'https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate', 'https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more', 'https://www.sans.org/webcasts/contrarian-view-solarwinds-119515', 'https://www.youtube.com/watch?v=LA-XE5Jy2kU', 'https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader', 'https://www.youtube.com/watch?v=GfbxHy6xnbA', 'https://twitter.com/TheEnergyStory/status/1346096298311741440', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://twitter.com/TheEnergyStory/status/1342041055563313152', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b']}\n", "TefoSteal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal', 'https://twitter.com/WDSecurity/status/1105990738993504256']}\n", "TelAndExt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.telandext', 'https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/']}\n", "TelB {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.telb', 'https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/']}\n", "TeleBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot', 'http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/', 'https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine', 'https://www.secureworks.com/research/threat-profiles/iron-viking']}\n", "TeleDoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor', 'http://blog.talosintelligence.com/2017/07/the-medoc-connection.html', 'https://www.secureworks.com/research/threat-profiles/iron-viking', 'https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/']}\n", "TelegramGrabber {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.telegram_grabber', 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html']}\n", "TellYouThePass {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks', 'https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/']}\n", "Tempedreve {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve']}\n", "Terminator RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat', 'https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf', 'https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf', 'https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf', 'http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html'], 'synonyms': ['Fakem RAT']}\n", "Termite {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.termite', 'https://www.alienvault.com/blogs/labs-research/internet-of-termites', 'https://www.mandiant.com/resources/evolution-of-fin7', 'https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/']}\n", "TerraPreter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.terrapreter', 'https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/']}\n", "TerraLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader', 'https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244', 'https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/', 'https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-']}\n", "TerraRecon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_recon', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9'], 'synonyms': ['Taurus Loader Reconnaissance Module']}\n", "TerraStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer', 'https://github.com/eset/malware-ioc/tree/master/evilnum', 'https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/', 'https://twitter.com/3xp0rtblog/status/1275746149719252992', 'https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/', 'https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'], 'synonyms': ['SONE', 'StealerOne', 'Taurus Loader Stealer Module']}\n", "TerraTV {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9', 'https://blog.minerva-labs.com/taurus-user-guided-infection', 'https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/'], 'synonyms': ['Taurus Loader TeamViewer Module']}\n", "TeslaCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt', 'https://community.riskiq.com/article/30f22a00', 'https://blogs.cisco.com/security/talos/teslacrypt', 'https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/', 'https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/', 'https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla', 'https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/', 'https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/', 'https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack', 'https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf', 'https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html', 'https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/'], 'synonyms': ['cryptesla']}\n", "TFlower {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower', 'https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign', 'https://www.sygnia.co/mata-framework', 'https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/']}\n", "Thanatos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos', 'https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market'], 'synonyms': ['Alphabot']}\n", "Thanatos Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom', 'https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/', 'https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html', 'https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/']}\n", "ThinMon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.thinmon', 'https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg']}\n", "ThreeByte {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte', 'https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html']}\n", "ThumbThief {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief', 'http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/']}\n", "ThunderX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx', 'https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/', 'https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/', 'https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/', 'https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3', 'https://www.ic3.gov/Media/News/2021/211026.pdf', 'https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html', 'https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/', 'https://www.mandiant.com/resources/chasing-avaddon-ransomware', 'https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps'], 'synonyms': ['Ranzy Locker']}\n", "Thunker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker']}\n", "Tidepool {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool', 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf', 'https://unit42.paloaltonetworks.com/atoms/shallowtaurus/', 'http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/']}\n", "Tiger RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat', 'https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/', 'https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf', 'https://www.brighttalk.com/webcast/18282/493986', 'https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf', 'https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html', 'https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html']}\n", "tildeb {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tildeb', 'https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf']}\n", "Tinba {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba', 'http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf', 'http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html', 'http://contagiodump.blogspot.com/2012/06/amazon.html', 'http://www.theregister.co.uk/2012/06/04/small_banking_trojan/', 'https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant', 'https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html', 'https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/', 'https://adalogics.com/blog/the-state-of-advanced-code-injections', 'http://garage4hackers.com/entry.php?b=3086', 'https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan'], 'synonyms': ['Illi', 'TinyBanker', 'Zusy']}\n", "TinyLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader', 'https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf', 'https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak']}\n", "TinyMet {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet', 'https://twitter.com/VK_Intel/status/1273292957429510150', 'https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/', 'https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/', 'https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/', 'https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/', 'https://www.secureworks.com/research/threat-profiles/gold-niagara', 'https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://github.com/SherifEldeeb/TinyMet', 'https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do'], 'synonyms': ['TiniMet']}\n", "TinyNuke {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke', 'https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/', 'https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html', 'https://krebsonsecurity.com/tag/nuclear-bot/', 'https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://asec.ahnlab.com/en/27346/', 'https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet', 'https://asec.ahnlab.com/en/32781/', 'https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/', 'https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/', 'https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702'], 'synonyms': ['MicroBankingTrojan', 'Nuclear Bot', 'NukeBot', 'Xbot']}\n", "TinyTyphon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon', 'https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf', 'https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign']}\n", "TinyZbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot', 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf', 'https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten']}\n", "TinyTurla {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla', 'https://blog.talosintelligence.com/2021/09/tinyturla.html', 'https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/']}\n", "Tiop {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop']}\n", "Tmanger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger', 'https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia', 'https://vblocalhost.com/uploads/VB2020-20.pdf', 'https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/', 'https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf', 'https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop', 'https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager', 'https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op', 'https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/', 'https://www.youtube.com/watch?v=1WfPlgtfWnQ', 'https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/'], 'synonyms': ['LuckyBack']}\n", "Tofsee {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee', 'https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf', 'https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/', 'https://www.cert.pl/en/news/single/tofsee-en/', 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html', 'https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/', 'https://intel471.com/blog/privateloader-malware', 'https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/'], 'synonyms': ['Gheg']}\n", "TokyoX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tokyox', 'https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact/', 'https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact-part-2/']}\n", "tomiris {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tomiris', 'https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/']}\n", "TONEDEAF {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf', 'https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/', 'https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html', 'https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/']}\n", "Tonnerre {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tonnerre', 'https://research.checkpoint.com/2021/after-lightning-comes-thunder/', 'https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf']}\n", "Torisma {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/', 'https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html', 'https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf', 'http://blog.nsfocus.net/stumbzarus-apt-lazarus/']}\n", "TorrentLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/'], 'synonyms': ['Teerac']}\n", "ToxicEye {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye', 'https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/', 'https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/']}\n", "tRat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.trat', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://www.gdatasoftware.com/blog/trat-control-via-smartphone', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf']}\n", "TreasureHunter {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter', 'http://adelmas.com/blog/treasurehunter.php', 'https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/', 'https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html'], 'synonyms': ['huntpos']}\n", "TrickBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption', 'https://blog.talosintelligence.com/2020/03/trickbot-primer.html', 'https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms', 'https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/', 'https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors', 'https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/', 'https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure', 'https://www.ic3.gov/Media/News/2022/220120.pdf', 'https://blog.fraudwatchinternational.com/malware/trickbot-malware-works', 'https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf', 'https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/', 'https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/', 'https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident', 'https://community.riskiq.com/article/111d6005/description', 'https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/', 'https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html', 'https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/', 'https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/', 'https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/', 'https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html', 'https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/', 'https://www.intrinsec.com/deobfuscating-hunting-ostap/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/', 'https://www.netscout.com/blog/asert/dropping-anchor', 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2', 'https://www.youtube.com/watch?v=EyDiIAt__dI', 'https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/', 'https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/', 'https://us-cert.cisa.gov/ncas/alerts/aa21-076a', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/', 'https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/', 'https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/', 'https://www.secdata.com/the-trickbot-and-mikrotik/', 'https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/', 'https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/', 'https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf', 'https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/', 'https://www.cert.pl/en/news/single/detricking-trickbot-loader/', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf', 'https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/', 'https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf', 'https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/', 'https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/', 'https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/', 'https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a', 'https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows', 'https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/', 'https://osint.fans/service-nsw-russia-association', 'https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/', 'https://blog.cyberint.com/ryuk-crypto-ransomware', 'https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/', 'https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://community.riskiq.com/article/04ec92f4', 'https://blog.lumen.com/a-look-inside-the-trickbot-botnet/', 'https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/', 'https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html', 'https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/', 'https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/', 'https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features', 'https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes', 'https://www.mandiant.com/media/12596/download', 'https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf', 'https://redcanary.com/resources/webinars/deep-dive-process-injection/', 'https://share.vx-underground.org/Conti/', 'https://www.crowdstrike.com/blog/wizard-spider-adversary-update/', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/', 'https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html', 'https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass', 'https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html', 'https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware', 'https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/', 'https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/', 'https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/', 'https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns', 'https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/', 'https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf', 'https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/', 'https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth', 'https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/', 'https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes', 'https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre', 'https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/', 'https://www.wired.com/story/trickbot-malware-group-internal-messages/', 'https://content.fireeye.com/m-trends/rpt-m-trends-2020', 'https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/', 'https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html', 'https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/', 'https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles', 'https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/', 'https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/', 'http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot', 'https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them', 'https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/', 'https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412', 'https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf', 'https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/', 'http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c', 'https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/', 'https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/', 'https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/', 'https://www.wired.co.uk/article/trickbot-malware-group-internal-messages', 'https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/', 'https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/', 'https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html', 'https://www.joesecurity.org/blog/498839998833561473', 'https://intel471.com/blog/conti-leaks-ransomware-development', 'https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html', 'https://cofenselabs.com/all-you-need-is-text-second-wave/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://twitter.com/VK_Intel/status/1328578336021483522', 'https://twitter.com/anthomsec/status/1321865315513520128', 'https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf', 'https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/', 'https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/', 'https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/', 'https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/', 'https://www.youtube.com/watch?v=EdchPEHnohw', 'https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/', 'https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization', 'https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf', 'https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/', 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/', 'https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573', 'https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/', 'https://intel471.com/blog/a-brief-history-of-ta505', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez', 'https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet', 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx', 'https://duo.com/decipher/trickbot-up-to-its-old-tricks', 'https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf', 'http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html', 'https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis', 'https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html', 'https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module', 'https://thehackernews.com/2022/05/malware-analysis-trickbot.html', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf', 'https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/', 'https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/', 'https://labs.vipre.com/trickbots-tricks/', 'https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf', 'https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest', 'https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/', 'https://www.youtube.com/watch?v=KMcSAlS9zGE', 'https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot', 'https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko', 'http://www.secureworks.com/research/threat-profiles/gold-blackburn', 'https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html', 'https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html', 'https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html', 'https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor', 'https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf', 'https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/', 'https://intel471.com/blog/conti-emotet-ransomware-conti-leaks', 'https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/', 'https://www.youtube.com/watch?v=Brx4cygfmg8', 'https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks', 'https://www.secureworks.com/research/threat-profiles/gold-ulrick', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf', 'https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/', 'https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html', 'https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal', 'https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/', 'https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/', 'https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked', 'https://www.secureworks.com/research/threat-profiles/gold-blackburn', 'https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/', 'https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/', 'https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/', 'https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/', 'https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html', 'https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html', 'https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf', 'https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf', 'https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor', 'https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/', 'https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf', 'https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/', 'https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx', 'https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/', 'https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html', 'https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/', 'https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf', 'https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://securelist.com/trickbot-module-descriptions/104603/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/', 'https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/', 'https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf', 'https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/', 'https://arcticwolf.com/resources/blog/karakurt-web', 'http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html', 'http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html', 'https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/', 'https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/', 'https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/', 'https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/', 'http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html', 'https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/', 'https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/', 'https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6', 'https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/', 'https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/', 'https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/', 'https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships', 'https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html', 'https://www.secureworks.com/research/threat-profiles/gold-swathmore', 'https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/', 'https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works', 'https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737', 'https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://www.justice.gov/opa/press-release/file/1445241/download', 'https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/', 'http://www.malware-traffic-analysis.net/2018/02/01/', 'https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker', 'https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/', 'https://community.riskiq.com/article/298c9fc9', 'https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/', 'https://www.splunk.com/en_us/blog/security/detecting-trickbots.html', 'https://intel471.com/blog/privateloader-malware', 'https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/', 'https://unit42.paloaltonetworks.com/ryuk-ransomware/', 'https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf', 'https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056', 'https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware', 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group', 'https://www.hhs.gov/sites/default/files/bazarloader.pdf', 'https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.youtube.com/watch?v=lTywPmZEU1A', 'https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/', 'https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/', 'https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/', 'https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/', 'https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607', 'https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/'], 'synonyms': ['TheTrick', 'TrickLoader', 'Trickster']}\n", "Triton {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.triton', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF', 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-083a', 'https://www.eenews.net/stories/1060123327/', 'https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html', 'https://dragos.com/blog/trisis/TRISIS-01.pdf', 'https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://www.ic3.gov/Media/News/2022/220325.pdf', 'https://home.treasury.gov/news/press-releases/sm1162', 'https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://github.com/ICSrepo/TRISIS-TRITON-HATMAN', 'https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf', 'https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security'], 'synonyms': ['HatMan', 'Trisis']}\n", "Trochilus RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats', 'https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf', 'https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html', 'https://github.com/m0n0ph1/malware-1/tree/master/Trochilus', 'https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf', 'https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains', 'https://www.secureworks.com/research/threat-profiles/bronze-vinewood', 'https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn', 'https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf', 'https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments', 'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf', 'https://github.com/5loyd/trochilus/']}\n", "Troldesh {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh', 'https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/', 'https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/', 'https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/', 'https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/', 'https://securelist.com/the-shade-encryptor-a-double-threat/72087/', 'https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/', 'https://support.kaspersky.com/13059', 'https://blog.avast.com/ransomware-strain-troldesh-spikes', 'https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/', 'https://github.com/shade-team/keys', 'https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/'], 'synonyms': ['Shade']}\n", "TroubleGrabber {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.troublegrabber', 'https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord']}\n", "troystealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.troystealer', 'https://seguranca-informatica.pt/troystealer-a-new-info-stealer-targeting-portuguese-internet-users']}\n", "Trump Ransom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom']}\n", "Tsifiri {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri']}\n", "TUNNELFISH {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tunnelfish', 'https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors']}\n", "turian {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.turian', 'https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/', 'https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day']}\n", "Turkojan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.turkojan', 'https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf']}\n", "TurlaRPC {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc', 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/', 'https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://unit42.paloaltonetworks.com/ironnetinjector/']}\n", "Turla SilentMoon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/', 'https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity', 'https://twitter.com/Arkbird_SOLG/status/1304187749373800455'], 'synonyms': ['BigBoss', 'Cacao', 'GoldenSky', 'HyperStack']}\n", "TURNEDUP {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup', 'https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/', 'https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage', 'https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html', 'https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage'], 'synonyms': ['Notestuk']}\n", "TypeHash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash', 'https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf', 'https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf'], 'synonyms': ['SkinnyD']}\n", "Tyupkin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin', 'https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf', 'https://www.lastline.com/labsblog/tyupkin-atm-malware/', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html']}\n", "T-Cmd {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.t_cmd', 'https://github.com/crackeeer/2006-defconbot/blob/master/T-cmd.cpp'], 'synonyms': ['t_cmd']}\n", "T-RAT 2.0 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.t_rat', 'https://www.gdatasoftware.com/blog/trat-control-via-smartphone']}\n", "UACMe {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme', 'https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/', 'https://github.com/hfiref0x/UACME'], 'synonyms': ['Akagi']}\n", "UDPoS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos', 'https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns', 'https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html']}\n", "UFR Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer', 'https://twitter.com/malwrhunterteam/status/1096363455769202688', 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal'], 'synonyms': ['Usteal']}\n", "Uiwix {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix', 'https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue']}\n", "UnderminerEK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek', 'https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become', 'https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/']}\n", "Unidentified 001 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001']}\n", "Unidentified 003 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003']}\n", "Unidentified 006 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006']}\n", "Unidentified 013 (Korean) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware', 'http://blog.talosintelligence.com/2017/02/korean-maldoc.html']}\n", "Unidentified 020 (Vault7) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7', 'https://wikileaks.org/ciav7p1/cms/page_34308128.html']}\n", "Unidentified 022 (Ransom) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom']}\n", "Unidentified 023 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023']}\n", "Unidentified 024 (Ransomware) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom', 'https://twitter.com/malwrhunterteam/status/789161704106127360']}\n", "Unidentified 025 (Clickfraud) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud', 'http://malware-traffic-analysis.net/2016/05/09/index.html']}\n", "Unidentified 028 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028']}\n", "Unidentified 029 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029']}\n", "Filecoder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030', 'https://twitter.com/JaromirHorejsi/status/877811773826641920']}\n", "Unidentified 031 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031']}\n", "Unidentified 037 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037']}\n", "Unidentified 038 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038']}\n", "Unidentified 039 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039']}\n", "Unidentified 041 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041']}\n", "Unidentified 042 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042', 'http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/']}\n", "Unidentified 044 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044']}\n", "Unidentified 045 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045']}\n", "Unidentified 047 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047', 'https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/']}\n", "Unidentified 052 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052']}\n", "Unidentified 053 (Wonknu?) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053']}\n", "Unidentified 057 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057', 'https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/']}\n", "Unidentified 058 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058', 'https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat', 'https://securelist.com/the-return-of-the-bom/90065/']}\n", "Unidentified 061 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061']}\n", "Unidentified 063 (Lazarus Keylogger) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_063', 'https://twitter.com/KevinPerlow/status/1160766519615381504']}\n", "Unidentified 066 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_066', 'https://s.tencent.com/research/report/669.html']}\n", "Unidentified 067 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_067', 'https://s.tencent.com/research/report/831.html']}\n", "Unidentified 068 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068', 'https://rules.emergingthreatspro.com/changelogs/suricata-5.0-enhanced.etpro.2019-12-05T23:38:02.txt']}\n", "Unidentified 069 (Zeus Unnamed2) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069', 'https://zeusmuseum.com/unnamed%202/']}\n", "Unidentified 070 (Downloader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070', 'https://twitter.com/M11Sec/status/1217781224204357633']}\n", "Unidentified 071 (Zeus Unnamed1) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071', 'https://zeusmuseum.com/unnamed%201/']}\n", "Unidentified 072 (Metamorfo Loader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_072', 'https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md']}\n", "Unidentified 074 (Downloader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074', 'https://blog.vincss.net/2019/12/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-2020.html']}\n", "Unidentified 075 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075', 'https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html']}\n", "Unidentified 076 (Higaisa LNK to Shellcode) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076', 'https://www.youtube.com/watch?v=8x-pGlWpIYI', 'https://www.zscaler.com/blogs/research/return-higaisa-apt', 'https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html']}\n", "Unidentified 077 (Lazarus Downloader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077', 'https://twitter.com/ccxsaber/status/1277064824434745345']}\n", "Unidentified 078 (Zebrocy Nim Loader?) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078', 'https://twitter.com/Vishnyak0v/status/1300704689865060353']}\n", "Unidentified 080 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080', 'https://securelist.com/luckymouse-ndisproxy-driver/87914/']}\n", "Unidentified 081 (Andariel Ransomware) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_081', 'https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/']}\n", "Unidentified 083 (AutoIT Stealer) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083', 'https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/']}\n", "Unidentified 085 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_085', 'https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/']}\n", "Unidentified 087 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_087', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-south-east-asia?s=09']}\n", "Unidentified 088 (Nim Ransomware) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088', 'https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671']}\n", "Unidentified 089 (Downloader) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089', 'https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/']}\n", "Unidentified 090 (Lazarus) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_090', 'https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/']}\n", "Unidentified 091 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_091', 'https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/']}\n", "Unidentified 092 (Confucius Backdoor) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_092', 'https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ']}\n", "Unidentified 093 (Sidewinder) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_093', 'https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/']}\n", "Unidentified 094 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_094', 'https://twitter.com/katechondic/status/1556940169483264000']}\n", "Unlock92 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92', 'https://twitter.com/bartblaze/status/976188821078462465', 'https://twitter.com/struppigel/status/810753660737073153']}\n", "UPAS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.upas', 'https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html', 'https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/'], 'synonyms': ['Rombrast']}\n", "Upatre {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre', 'https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/', 'https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/', 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/', 'https://secrary.com/ReversingMalware/Upatre/']}\n", "Urausy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy']}\n", "UrlZone {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone', 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware', 'https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features', 'https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0', 'https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA', 'https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/', 'http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/', 'https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/', 'https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/', 'https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf', 'https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/', 'https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html', 'https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations', 'https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much'], 'synonyms': ['Bebloh', 'Shiotob']}\n", "Uroburos (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos', 'https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation', 'https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence', 'https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified', 'https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/', 'https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/', 'https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf', 'https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg', 'https://artemonsecurity.com/uroburos.pdf', 'https://www.secureworks.com/research/threat-profiles/iron-hunter', 'https://www.circl.lu/pub/tr-25/', 'https://exatrack.com/public/Tricephalic_Hellkeeper.pdf', 'https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken', 'https://securelist.com/analysis/publications/65545/the-epic-turla-operation/', 'https://exatrack.com/public/Uroburos_EN.pdf'], 'synonyms': ['Snake']}\n", "USBCulprit {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit', 'https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://securelist.com/cycldek-bridging-the-air-gap/97157/']}\n", "USBferry {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry', 'https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf', 'https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf', 'https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/']}\n", "Vadokrist {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist', 'https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf', 'https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/']}\n", "Vaggen {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vaggen', 'https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/']}\n", "VALUEVAULT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault', 'https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/', 'https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae', 'https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html']}\n", "vanillarat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vanillarat', 'https://github.com/DannyTheSloth/VanillaRAT']}\n", "Varenyky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky', 'https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/', 'https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/']}\n", "Vawtrak {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/', 'https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/', 'https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/', 'https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'http://thehackernews.com/2017/01/neverquest-fbi-hacker.html', 'https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest', 'https://www.secureworks.com/research/dyre-banking-trojan', 'https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak', 'https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/'], 'synonyms': ['Catch', 'NeverQuest', 'grabnew']}\n", "Veeam Dumper {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.veeam', 'https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger']}\n", "VegaLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker', 'https://twitter.com/malwrhunterteam/status/1093136163836174339', 'https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618', 'https://twitter.com/malwrhunterteam/status/1095024267459284992', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/'], 'synonyms': ['Buran', 'Vega']}\n", "Velso {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.velso', 'https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/']}\n", "Venom RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.venom', 'https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html', 'https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/', 'https://blog.malwarelab.pl/posts/venom/']}\n", "VenomLNK {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk', 'https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9', 'https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/']}\n", "Venus Locker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker', 'https://twitter.com/JaromirHorejsi/status/813690129088937984']}\n", "Vermilion Strike (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vermilion_strike', 'https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/']}\n", "Vermin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin', 'https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/', 'https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/', 'https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html']}\n", "Vflooder {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder', 'https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/']}\n", "VHD Ransomware {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware', 'https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/', 'https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/', 'https://twitter.com/GrujaRS/status/1241657443282825217', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html']}\n", "VictoryGate {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate', 'https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam', 'https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/', 'https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/', 'https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/']}\n", "Vidar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar', 'https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html', 'https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html', 'https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware', 'https://twitter.com/GroupIB_GIB/status/1570821174736850945', 'https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk', 'https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/', 'https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html', 'https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed', 'https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf', 'https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/', 'https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal', 'https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing', 'https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/', 'https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/', 'https://asec.ahnlab.com/en/30445/', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://eln0ty.github.io/malware%20analysis/vidar/', 'https://intel471.com/blog/privateloader-malware', 'https://isc.sans.edu/diary/rss/28468', 'https://asec.ahnlab.com/en/22932/', 'https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/', 'https://cert.pl/en/posts/2021/10/vidar-campaign/', 'https://threatpost.com/microsoft-help-files-vidar-malware/179078/', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/', 'https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d', 'https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/', 'https://asec.ahnlab.com/en/30875/', 'https://twitter.com/sisoma2/status/1409816282065743872', 'https://asec.ahnlab.com/ko/25837/', 'https://ke-la.com/information-stealers-a-new-landscape/', 'https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/']}\n", "VIGILANT CLEANER {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner', 'https://blog.trendmicro.co.jp/archives/28319', 'https://www.mbsd.jp/research/20210721/blog/', 'https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/', 'https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games', 'https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/'], 'synonyms': ['VIGILANT CHECKER']}\n", "virdetdoor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor', 'https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks']}\n", "Virut {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.virut', 'https://chrisdietri.ch/post/virut-resurrects/', 'https://www.mandiant.com/resources/pe-file-infecting-malware-ot', 'https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/', 'https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/', 'https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/', 'https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/', 'https://www.secureworks.com/research/virut-encryption-analysis', 'https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet']}\n", "Vizom {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vizom', 'https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/']}\n", "Vjw0rm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm', 'https://community.riskiq.com/article/24759ad2', 'https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel', 'https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics', 'https://twitter.com/tccontre18/status/1461386178528264204', 'https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape', 'https://bazaar.abuse.ch/browse/signature/Vjw0rm/', 'https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf']}\n", "VM Zeus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus', 'https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/', 'https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/'], 'synonyms': ['VMzeus', 'Zberp', 'ZeusVM']}\n", "Vobfus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus', 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions', 'https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/', 'http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html'], 'synonyms': ['Beebone']}\n", "Void {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.void', 'https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html', 'https://securelist.com/cis-ransomware/104452/'], 'synonyms': ['VoidCrypt']}\n", "Volgmer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer', 'https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://securelist.com/lazarus-threatneedle/100803/', 'https://www.secureworks.com/research/threat-profiles/nickel-academy', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.us-cert.gov/ncas/alerts/TA17-318B', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://securelist.com/operation-applejeus/87553/', 'https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view', 'https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf', 'https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74'], 'synonyms': ['FALLCHILL', 'Manuscrypt']}\n", "Vovalex {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vovalex', 'https://twitter.com/malwrhunterteam/status/1351808079164276736', 'https://twitter.com/VK_Intel/status/1355196321964109824']}\n", "Vreikstadi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi', 'https://twitter.com/malware_traffic/status/821483557990318080']}\n", "VSingle {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vsingle', 'https://blogs.jpcert.or.jp/en/2022/07/vsingle.html', 'https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html']}\n", "vSkimmer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer', 'http://www.xylibox.com/2013/01/vskimmer.html', 'https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/', 'http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis']}\n", "Vulturi {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.vulturi', 'https://twitter.com/ViriBack/status/1430604948241276928?s=20']}\n", "w32times {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times', 'https://attack.mitre.org/wiki/Group/G0022']}\n", "win.wabot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wabot', 'https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html']}\n", "WallyShack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wallyshack', 'https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/']}\n", "WannaCryptor {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor', 'https://securelist.com/big-threats-using-code-similarity-part-1/97239/', 'https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/', 'https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168', 'https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf', 'https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today', 'https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/', 'https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group', 'https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html', 'https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://www.youtube.com/watch?v=Q90uZS3taG0', 'https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/', 'https://sites.temple.edu/care/ci-rw-attacks/', 'https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf', 'https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/', 'http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/', 'https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf', 'https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf', 'https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', \"https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1\", 'https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign', 'https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware', 'https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/', 'http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html', 'https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/', 'https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html', 'https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d', 'https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf', \"https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1\", 'https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984', 'https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html', 'https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/', 'https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf', 'https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf'], 'synonyms': ['Wana Decrypt0r', 'WannaCry', 'WannaCrypt', 'Wcry']}\n", "WannaHusky {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wannahusky', 'https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909']}\n", "WannaRen {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wannaren', 'https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html']}\n", "WastedLoader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf']}\n", "WastedLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker', 'https://ioc.hatenablog.com/entry/2020/08/16/132853', 'https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/', 'https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/', 'https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware', 'https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/', 'https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html', 'https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/', 'https://unit42.paloaltonetworks.com/wastedlocker/', 'https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries', 'https://securelist.com/wastedlocker-technical-analysis/97944/', 'https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf', 'https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html', 'https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter', 'https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us', 'https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/', 'https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US', 'https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp', 'https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf', 'https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/', 'http://www.secureworks.com/research/threat-profiles/gold-drake', 'https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/', 'https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/', 'https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/', 'https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/', 'https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions', 'https://www.bbc.com/news/world-us-canada-53195749', 'https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself', 'https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/', 'https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf', 'https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/', 'https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd', 'https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://killingthebear.jorgetesta.tech/actors/evil-corp', 'https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/', 'https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf']}\n", "Waterbear {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.waterbear', 'https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/', 'https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf', 'https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf', 'https://www.youtube.com/watch?v=6SDdUVejR2w', 'https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/', 'https://daydaynews.cc/zh-tw/technology/297265.html', 'https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html'], 'synonyms': ['DbgPrint', 'EYEWELL']}\n", "WaterMiner {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer', 'https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner']}\n", "WaterSpout {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout', 'https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html']}\n", "WebC2-AdSpace {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Ausov {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Bolid {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Cson {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-DIV {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-GreenCat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Head {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Kt3 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Qbp {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Rave {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Table {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-UGX {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebC2-Yahoo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo', 'https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf']}\n", "WebMonitor RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor', 'https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/', 'https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/', 'https://revcode.se/product/webmonitor/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord', 'https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/'], 'synonyms': ['RevCode']}\n", "WeControl {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wecontrol', 'https://unit42.paloaltonetworks.com/westeal/']}\n", "WellMess {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess', 'https://us-cert.cisa.gov/ncas/alerts/aa21-116a', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html', 'https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf', 'https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf', 'https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html', 'https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b', 'https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors', 'https://blog.talosintelligence.com/2020/08/attribution-puzzle.html', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://community.riskiq.com/article/541a465f/description', 'https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf']}\n", "WeSteal {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.westeal', 'https://unit42.paloaltonetworks.com/westeal/']}\n", "WhisperGate {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate', 'https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine', 'https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb', 'https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/', 'https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/', 'https://unit42.paloaltonetworks.com/atoms/ruinousursa/', 'https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/', 'https://inquest.net/blog/2022/02/10/380-glowspark', 'https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/', 'https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html', 'https://www.crowdstrike.com/blog/who-is-ember-bear/', 'https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions', 'https://www.secureworks.com/blog/whispergate-not-notpetya', 'https://twitter.com/HuskyHacksMK/status/1482876242047258628', 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground', 'https://www.youtube.com/watch?v=2nd-f1dIfD4', 'https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine', 'https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md', 'https://thehackernews.com/2022/02/putin-warns-russian-critical.html', 'https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/', 'https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/', 'https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/', 'https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/', 'https://www.netskope.com/blog/netskope-threat-coverage-whispergate', 'https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper', 'https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3', 'https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html', 'https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/', 'https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/', 'https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/', 'https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord', 'https://cert.gov.ua/article/18101', 'https://twitter.com/nunohaien/status/1484088885575622657', 'https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/', 'https://twitter.com/Libranalysis/status/1483128221956808704', 'https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf', 'https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/', 'https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks', 'https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html', 'https://rxored.github.io/post/analysis/whispergate/whispergate/', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf', 'https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html', 'https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped', 'https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation', 'https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html', 'https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/', 'https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview', 'https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/', 'https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/', 'https://twitter.com/knight0x07/status/1483401072102502400', 'https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months', 'https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/', 'https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?', 'https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-057a', 'https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf', 'https://www.youtube.com/watch?v=Ek3URIaC5O8', 'https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf', 'https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/', 'https://www.brighttalk.com/webcast/15591/534324'], 'synonyms': ['PAYWIPE']}\n", "WhiteBird {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird', 'https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf', 'https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf']}\n", "WhiteBlackCrypt {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt', 'https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316', 'https://www.checkmal.com/video/read/3605/'], 'synonyms': ['WARYLOOK']}\n", "WildFire {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire']}\n", "WinDealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer', 'https://blogs.jpcert.or.jp/en/2021/10/windealer.html', 'https://securelist.com/windealer-dealing-on-the-side/105946/', 'https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware', 'https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_7_leon-niwa-ishimaru_en.pdf', 'https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf', 'https://securelist.com/windealer-dealing-on-the-side/105946']}\n", "winlog {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.winlog', 'https://github.com/Thibault-69/Keylogger-Windows-----WinLog']}\n", "WinMM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://securelist.com/analysis/publications/69953/the-naikon-apt/', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf']}\n", "Winnti (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti', 'https://securelist.com/games-are-over/70991/', 'http://web.br.de/interaktiv/winnti/english/', 'https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html', 'https://github.com/br-data/2019-winnti-analyse/', 'https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/', 'http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf', 'https://github.com/TKCERT/winnti-detector', 'https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf', 'https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/', 'https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf', 'https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/', 'http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf', 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape', 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/', 'https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/', 'https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf', 'https://github.com/superkhung/winnti-sniff', 'https://www.lastline.com/labsblog/helo-winnti-attack-scan/', 'https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques', 'https://content.fireeye.com/api/pdfproxy?id=86840', 'https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf', 'https://content.fireeye.com/apt-41/rpt-apt41/', 'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/', 'https://www.secureworks.com/research/threat-profiles/bronze-atlas', 'https://securelist.com/apt-trends-report-q3-2020/99204/', 'https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/', 'https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/', 'https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf', 'https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf', 'https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf', 'https://github.com/TKCERT/winnti-nmap-script', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage', 'https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html', 'https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://github.com/TKCERT/winnti-suricata-lua', 'https://attack.mitre.org/groups/G0096', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive', 'https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html', 'https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf', 'https://www.youtube.com/watch?v=_fstHQSK-kk', 'https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html'], 'synonyms': ['BleDoor', 'JUMPALL', 'Pasteboy', 'RbDoor']}\n", "WinPot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot', 'https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/', 'https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/', 'https://securelist.com/atm-robber-winpot/89611/'], 'synonyms': ['ATMPot']}\n", "WinScreeny {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.winscreeny', 'https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/']}\n", "Winsloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader', 'http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/']}\n", "Wipbot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot', 'https://docs.broadcom.com/doc/waterbug-attack-group', 'https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf', 'https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf', 'https://securelist.com/analysis/publications/65545/the-epic-turla-operation/'], 'synonyms': ['Epic', 'Tavdig']}\n", "WMI Ghost {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost', 'https://secrary.com/ReversingMalware/WMIGhost/', 'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets'], 'synonyms': ['Syndicasec', 'Wimmie']}\n", "WndTest {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "Wonknu {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu', 'https://unit42.paloaltonetworks.com/atoms/iron-taurus/']}\n", "woody {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.woody', 'https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814']}\n", "Woody RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.woodyrat', 'https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/']}\n", "Woolger {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger', 'https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf', 'http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf', 'https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf'], 'synonyms': ['WoolenLogger']}\n", "WorldWind {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.worldwind', 'https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed']}\n", "WORMHOLE {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole', 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf', 'https://content.fireeye.com/apt/rpt-apt38']}\n", "WormLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wormlocker', 'https://twitter.com/Kangxiaopao/status/1355056807924797440'], 'synonyms': ['WormLckr']}\n", "WpBruteBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot', 'https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites']}\n", "WSCSPL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl', 'https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/', 'https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/']}\n", "Wslink {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink', 'https://twitter.com/darienhuss/status/1453342652682981378', 'https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/', 'https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf'], 'synonyms': ['FinickyFrogfish']}\n", "x4 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.x4', 'https://www.gradiant.org/noticia/analysis-malware-cve-2017/']}\n", "X-Agent (Windows) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent', 'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/', 'https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf', 'https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf', 'http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf', 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf', 'http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf', 'https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf', 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/', 'https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf'], 'synonyms': ['chopstick', 'splm']}\n", "XBot POS {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos', 'https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html']}\n", "XBTL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl']}\n", "xCaon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xcaon', 'https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/']}\n", "XData {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xdata', 'https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/'], 'synonyms': ['AESNI']}\n", "XDSpy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy', 'https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/', 'https://github.com/eset/malware-ioc/tree/master/xdspy/', 'https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf', 'https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf']}\n", "Xenon Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xenon', 'https://twitter.com/3xp0rtblog/status/1331974232192987142']}\n", " X-Files Stealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xfilesstealer', 'https://twitter.com/3xp0rtblog/status/1473323635469438978']}\n", "XFSADM {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm', 'https://twitter.com/VK_Intel/status/1149454961740255232', 'https://twitter.com/r3c0nst/status/1149043362244308992']}\n", "XFSCashNCR {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr', 'https://twitter.com/r3c0nst/status/1166773324548063232', 'https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/']}\n", "XiaoBa {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba', 'https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html'], 'synonyms': ['FlyStudio']}\n", "XP10 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xp10', 'https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html'], 'synonyms': ['FakeChrome Ransomware']}\n", "xPack {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack', 'https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html', 'https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks'], 'synonyms': ['NERAPACK']}\n", "Xpan {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan', 'https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/', 'https://securelist.com/blog/research/78110/xpan-i-am-your-father/']}\n", "XPCTRA {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra', 'https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html', 'https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/', 'https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis'], 'synonyms': ['Expectra']}\n", "XpertRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat', 'https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration', 'https://labs.k7computing.com/?p=15672', 'https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html']}\n", "XP PrivEsc (CVE-2014-4076) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc', 'https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf']}\n", "XServer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xserver', 'https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf', 'https://norfolkinfosec.com/filesnfer-tool-c-python/'], 'synonyms': ['Filesnfer']}\n", "xsPlus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus', 'https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf', 'https://securelist.com/analysis/publications/69953/the-naikon-apt/', 'https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf'], 'synonyms': ['nokian']}\n", "XTunnel {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel', 'https://securelist.com/big-threats-using-code-similarity-part-1/97239/', 'https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf', 'https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government', 'https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html', 'https://www.symantec.com/blogs/election-security/apt28-espionage-military-government', 'https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/', 'http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf', 'https://securelist.com/apt-trends-report-q2-2020/97937/', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf', 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf'], 'synonyms': ['Shunnael', 'X-Tunnel', 'xaps']}\n", "X-Tunnel (.NET) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net', 'https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28']}\n", "Xwo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo', 'https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner']}\n", "xxmm {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm', 'http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/', 'https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-butler', 'https://www.macnica.net/mpressioncss/feature_05.html/', 'https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf', 'https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors', 'https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses'], 'synonyms': ['ShadowWalker']}\n", "Yahoyah {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah', 'http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/'], 'synonyms': ['KeyBoy']}\n", "Yakuza {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware', 'https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html'], 'synonyms': ['Teslarvng Ransomware']}\n", "YamaBot {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yamabot', 'https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html?m=1', 'https://blogs.jpcert.or.jp/en/2022/07/yamabot.html'], 'synonyms': ['Kaos']}\n", "Yanluowang {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang', 'https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html', 'https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang', 'https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf', 'https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/', 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware']}\n", "YaRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yarat', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks']}\n", "Yarraq {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yarraq', 'https://twitter.com/GrujaRS/status/1210541690349662209', 'https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview']}\n", "Yatron {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yatron', 'https://securelist.com/ransomware-two-pieces-of-good-news/93355/']}\n", "yayih {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih', 'https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html'], 'synonyms': ['aumlib', 'bbsinfo']}\n", "Yellow Cockatoo RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yellow_cockatoo', 'https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf', 'https://redcanary.com/blog/yellow-cockatoo/'], 'synonyms': ['Polazer']}\n", "Yoddos {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yoddos', 'https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf']}\n", "YoreKey {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yorekey', 'https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf', 'https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals']}\n", "YoungLotus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus', 'https://www.youtube.com/watch?v=AUGxYhE_CUY'], 'synonyms': ['DarkShare']}\n", "YourCyanide {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.your_cyanide', 'https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html'], 'synonyms': ['GonnaCope', 'Kekpop', 'Kekware']}\n", "YTStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer', 'https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/', 'https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/']}\n", "yty {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yty', 'https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/', 'http://blog.ptsecurity.com/2019/11/studying-donot-team.html', 'https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/', 'https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/', 'https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf', 'https://www.secureworks.com/research/threat-profiles/zinc-emerson', 'https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/']}\n", "Yunsip {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.yunsip', 'https://www.fortiguard.com/encyclopedia/virus/3229143']}\n", "Z3 {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.z3', 'https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html'], 'synonyms': ['Z3enc Ransomware']}\n", "Zacinlo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zacinlo', 'https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/'], 'synonyms': ['s5mark']}\n", "Zebrocy {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy', 'https://securelist.com/zebrocys-multilanguage-malware-salad/90680/', 'https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/', 'https://unit42.paloaltonetworks.com/atoms/fighting-ursa/', 'https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/', 'https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf', 'https://brandefense.io/zebrocy-malware-technical-analysis-report/', 'https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries', 'https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html', 'https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g', 'https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government', 'https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b', 'https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/', 'https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/', 'https://meltx0r.github.io/tech/2019/10/24/apt28.html', 'https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/', 'https://www.secureworks.com/research/threat-profiles/iron-twilight', 'https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og', 'https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/', 'https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html', 'https://securelist.com/greyenergys-overlap-with-zebrocy/89506/', 'https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf', 'https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/', 'https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/', 'https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf', 'https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf', 'https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf', 'https://securelist.com/a-zebrocy-go-downloader/89419/', 'https://research.checkpoint.com/malware-against-the-c-monoculture/', 'https://securelist.com/apt-trends-report-q2-2019/91897/', 'https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/'], 'synonyms': ['Zekapab']}\n", "Zebrocy (AutoIT) {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3', 'https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/', 'https://www.secureworks.com/research/threat-profiles/iron-twilight']}\n", "Zedhou {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou']}\n", "zenar {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zenar', 'https://twitter.com/3xp0rtblog/status/1387996083712888832?s=20']}\n", "Zeoticus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus', 'https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/']}\n", "Zeppelin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin', 'https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-223a', 'https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin', 'https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf', 'https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618', 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf', 'https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-223A_Zeppelin_CSA.pdf', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-249a', 'https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf']}\n", "ZeroAccess {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess', 'http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html', 'https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail', 'http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/', 'http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/', 'https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/', 'http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/', 'http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/', 'http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html', 'https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/', 'https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/'], 'synonyms': ['Max++', 'Sirefef', 'Smiscer']}\n", "ZeroCleare {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare', 'https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government', 'https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf', 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf', 'https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/', 'https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat', 'https://www.ibm.com/downloads/cas/OAJ4VZNJ']}\n", "ZeroEvil {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil', 'https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/']}\n", "ZeroLocker {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zerolocker', 'http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html']}\n", "ZeroT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot', 'https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx']}\n", "Zeus {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus', 'https://securelist.com/financial-cyberthreats-in-2020/101638/', 'https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/', 'http://eternal-todo.com/blog/detecting-zeus', 'https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite', 'http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://www.secureworks.com/research/threat-profiles/bronze-woodland', 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf', 'https://www.mnin.org/write/ZeusMalware.pdf', 'https://www.secureworks.com/research/zeus?threat=zeus', 'https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/', 'https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/', 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a', 'http://eternal-todo.com/blog/new-zeus-binary', 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html', 'http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html', 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/', 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf', 'http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html', 'https://www.wired.com/2017/03/russian-hacker-spy-botnet/', 'http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html', 'http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html', 'https://www.secureworks.com/research/threat-profiles/gold-evergreen', 'http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html', 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree', 'https://nakedsecurity.sophos.com/2010/07/24/sample-run/', 'https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals', 'http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html', 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf', 'https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group', 'https://www.s21sec.com/en/zeus-the-missing-link/', 'http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html', 'http://eternal-todo.com/blog/zeus-spreading-facebook', 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf', 'http://www.secureworks.com/research/threat-profiles/gold-evergreen', 'https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf'], 'synonyms': ['Zbot']}\n", "ZeusAction {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action', 'https://www.youtube.com/watch?v=EyDiIAt__dI', 'https://twitter.com/benkow_/status/1136983062699487232']}\n", "Zeus MailSniffer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer']}\n", "Zeus OpenSSL {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl', 'https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/', 'https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/', 'https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/'], 'synonyms': ['XSphinx']}\n", "Zeus Sphinx {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx', 'https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html', 'https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/', 'https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/']}\n", "Zezin {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin', 'https://twitter.com/siri_urz/status/923479126656323584']}\n", "zgRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat', 'https://bazaar.abuse.ch/browse/signature/zgRAT/']}\n", "ZhCat {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf']}\n", "ZhMimikatz {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz', 'https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf', 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf']}\n", "ZingoStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zingo_stealer', 'https://blogs.blackberry.com/en/2022/05/threat-thursday-zingostealer'], 'synonyms': ['Ginzo']}\n", "ZitMo {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo', 'https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/', 'https://mobisec.reyammer.io/slides'], 'synonyms': ['ZeuS-in-the-Mobile']}\n", "ZiyangRAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat', 'https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators']}\n", "Zloader {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader', 'https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks', 'https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/', 'https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit', 'https://blog.alyac.co.kr/3322', 'https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/', 'https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489', 'https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware', 'https://unit42.paloaltonetworks.com/api-hammering-malware-families/', 'https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/', 'https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/', 'https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf', 'https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems', 'https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1', 'https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/', 'https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html', 'https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/', 'https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf', 'https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/', 'https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/', 'https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/', 'https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.youtube.com/watch?v=mhX-UoaYnOM', 'https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/', 'https://www.youtube.com/watch?v=QBoj6GB79wM', 'https://twitter.com/VK_Intel/status/1294320579311435776', 'https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns', 'https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/', 'https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html', 'https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt', 'https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/', 'https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries', 'https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/', 'https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed', 'https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/', 'https://noticeofpleadings.com/zloader/', 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf', 'https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain', 'https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/', 'https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html', 'https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf', 'https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/', 'https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/', 'https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/', 'https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145', 'https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/', 'https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/', 'https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex', 'https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/', 'https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/', 'https://johannesbader.ch/blog/the-dga-of-zloader/', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf', 'https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf', 'https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/', 'https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance', 'https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/', 'https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf', 'https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/', 'https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-110a', 'https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/', 'https://labs.k7computing.com/?p=22458', 'https://blogs.quickheal.com/zloader-entailing-different-office-files/', 'https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware', 'https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/', 'https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html', 'https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/', 'https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/', 'https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/', 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf', 'https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader', 'https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/', 'https://twitter.com/ffforward/status/1324281530026524672', 'https://www.lac.co.jp/lacwatch/people/20201106_002321.html', 'https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/', 'https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/', 'https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/'], 'synonyms': ['DELoader', 'Terdot']}\n", "Zlob {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob', 'https://blag.nullteilerfrei.de/2020/08/23/programmatically-nop-the-current-selection-in-ghidra/', 'https://en.wikipedia.org/wiki/Zlob_trojan']}\n", "ZStealer {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zstealer', 'https://twitter.com/Arkbird_SOLG/status/1458973883068043264', 'https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf'], 'synonyms': ['Z*Stealer']}\n", "Zumanek {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek', 'https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/', 'https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/']}\n", "ZUpdater {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdater', 'https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/'], 'synonyms': ['Zpevdo']}\n", "Zupdax {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdax', 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/', 'https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf']}\n", "ZXShell {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell', 'https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf', 'https://www.secureworks.com/research/threat-profiles/bronze-keystone', 'https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf', 'https://risky.biz/whatiswinnti/', 'https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox', 'https://www.secureworks.com/research/threat-profiles/bronze-union', 'https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw', 'https://attack.mitre.org/groups/G0001/', 'https://blogs.cisco.com/security/talos/opening-zxshell', 'https://lab52.io/blog/apt27-rootkit-updates/', 'https://attack.mitre.org/groups/G0096', 'https://unit42.paloaltonetworks.com/atoms/iron-taurus/', 'https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html', 'https://content.fireeye.com/apt-41/rpt-apt41', 'https://github.com/smb01/zxshell', 'https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf'], 'synonyms': ['Sensocode']}\n", "ZxxZ {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zxxz', 'https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/', 'https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html'], 'synonyms': ['MuuyDownloader']}\n", "Zyklon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon', 'https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html', 'https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html']}\n" ] } ] } ] }