Input Capture: Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.[1]

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.[2] Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
  • Reading raw keystroke data from the hardware buffer.
  • Windows Registry modifications.
  • Custom drivers.
  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.[3]
ID: T1056.001
Sub-technique of:  T1056
Platforms: Linux, Network, Windows, macOS
Contributors: TruKno
Version: 1.2
Created: 11 February 2020
Last Modified: 01 October 2023

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team gathered account credentials via a BlackEnergy keylogger plugin. [4][5]

S0045 ADVSTORESHELL

ADVSTORESHELL can perform keylogging.[6][7]

S0331 Agent Tesla

Agent Tesla can log keystrokes on the victim’s machine.[8][9][10][11][12]

G0130 Ajax Security Team

Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.[13]

S0622 AppleSeed

AppleSeed can use GetKeyState and GetKeyboardState to capture keystrokes on the victim’s machine.[14][15]

G0007 APT28

APT28 has used tools to perform keylogging.[16][17][18]

G0022 APT3

APT3 has used a keylogging tool that records keystrokes in encrypted files.[19]

G0050 APT32

APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.[20]

G0082 APT38

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[21]

G0087 APT39

APT39 has used tools for capturing keystrokes.[22][23]

G0096 APT41

APT41 used a keylogger called GEARSHIFT on a target system.[24]

G1023 APT5

APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.[25][26]

S0373 Astaroth

Astaroth logs keystrokes from the victim's machine. [27]

S1087 AsyncRAT

AsyncRAT can capture keystrokes on the victim’s machine.[28]

S0438 Attor

One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.[29]

S0414 BabyShark

BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[30]

S0128 BADNEWS

When it first starts, BADNEWS spawns a new thread to log keystrokes.[31][32][33]

S0337 BadPatch

BadPatch has a keylogging capability.[34]

S0234 Bandook

Bandook contains keylogging capabilities.[35]

S0017 BISCUIT

BISCUIT can capture keystrokes.[36]

S0089 BlackEnergy

BlackEnergy has run a keylogger plug-in on a victim.[37]

S0454 Cadelspy

Cadelspy has the ability to log keystrokes on the compromised host.[38]

S0030 Carbanak

Carbanak logs key strokes for configured processes and sends them back to the C2 server.[39][40]

S0348 Cardinal RAT

Cardinal RAT can log keystrokes.[41]

S0261 Catchamas

Catchamas collects keystrokes from the victim’s machine.[42]

S1149 CHIMNEYSWEEP

CHIMNEYSWEEP has the ability to support keylogging.[43]

S0023 CHOPSTICK

CHOPSTICK is capable of performing keylogging.[44][6][17]

S0660 Clambling

Clambling can capture keystrokes on a compromised host.[45][46]

S0154 Cobalt Strike

Cobalt Strike can track key presses with a keylogger module.[47][48][49]

S0338 Cobian RAT

Cobian RAT has a feature to perform keylogging on the victim’s machine.[50]

S0050 CosmicDuke

CosmicDuke uses a keylogger.[51]

S0115 Crimson

Crimson can use a module to perform keylogging on compromised hosts.[52][53][54]

S0625 Cuba

Cuba logs keystrokes via polling by using GetKeyState and VkKeyScan functions.[55]

C0029 Cutting Edge

During Cutting Edge, threat actors modified a JavaScript file on the Web SSL VPN component of Ivanti Connect Secure devices to keylog credentials.[56]

S0334 DarkComet

DarkComet has a keylogging capability.[57]

S1111 DarkGate

DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.[58]

G0012 Darkhotel

Darkhotel has used a keylogger.[59]

S1066 DarkTortilla

DarkTortilla can download a keylogging module.[60]

S0673 DarkWatchman

DarkWatchman can track key presses with a keylogger module.[61]

S0187 Daserf

Daserf can log keystrokes.[62][63]

S0021 Derusbi

Derusbi is capable of logging keystrokes.[64]

S0213 DOGCALL

DOGCALL is capable of logging keystrokes.[65][66]

S0567 Dtrack

Dtrack’s dropper contains a keylogging executable.[67]

S0038 Duqu

Duqu can track key presses with a keylogger module.[68]

S1159 DUSTTRAP

DUSTTRAP can perform keylogging operations.[69]

S0062 DustySky

DustySky contains a keylogger.[70]

S0593 ECCENTRICBANDWAGON

ECCENTRICBANDWAGON can capture and store keystrokes.[71]

S0363 Empire

Empire includes keylogging capabilities for Windows, Linux, and macOS systems.[72]

S0152 EvilGrab

EvilGrab has the capability to capture keystrokes.[73]

S0569 Explosive

Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.[74][75]

S0076 FakeM

FakeM contains a keylogger module.[76]

G1016 FIN13

FIN13 has logged the keystrokes of victims to escalate privileges.[77]

G0085 FIN4

FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[78][79]

S0381 FlawedAmmyy

FlawedAmmyy can collect keyboard events.[80]

S1044 FunnyDream

The FunnyDream Keyrecord component can capture keystrokes.[81]

S0410 Fysbis

Fysbis can perform keylogging.[82]

S0032 gh0st RAT

gh0st RAT has a keylogger.[83][84]

S0531 Grandoreiro

Grandoreiro can log keystrokes on the victim's machine.[85]

S0342 GreyEnergy

GreyEnergy has a module to harvest pressed keystrokes.[86]

G0043 Group5

Malware used by Group5 is capable of capturing keystrokes.[87]

S0170 Helminth

The executable version of Helminth has a module to log keystrokes.[88]

G1001 HEXANE

HEXANE has used a PowerShell-based keylogger named kl.ps1.[89][90]

S0070 HTTPBrowser

HTTPBrowser is capable of capturing keystrokes on victims.[91]

S0434 Imminent Monitor

Imminent Monitor has a keylogging module.[92]

S0260 InvisiMole

InvisiMole can capture keystrokes on a compromised host.[93]

S0201 JPIN

JPIN contains a custom keylogger.[94]

S0283 jRAT

jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[95][96]

S0088 Kasidet

Kasidet has the ability to initiate keylogging.[97]

G0004 Ke3chang

Ke3chang has used keyloggers.[98][99]

S0387 KeyBoy

KeyBoy installs a keylogger for intercepting credentials and keystrokes.[100]

S0526 KGH_SPY

KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.[101]

G0094 Kimsuky

Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.[102][103][104][105][1][15]

S0437 Kivars

Kivars has the ability to initiate keylogging on the infected host.[106]

S0356 KONNI

KONNI has the capability to perform keylogging.[107]

G0032 Lazarus Group

Lazarus Group malware KiloAlfa contains keylogging functionality.[108][109]

S0447 Lokibot

Lokibot has the ability to capture input on the compromised host via keylogging.[110]

S0409 Machete

Machete logs keystrokes from the victim’s machine.[111][112][113][114]

S1016 MacMa

MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.[115][116]

S0282 MacSpy

MacSpy captures keystrokes.[117]

G0059 Magic Hound

Magic Hound malware is capable of keylogging.[118]

S0652 MarkiRAT

MarkiRAT can capture all keystrokes on a compromised host.[119]

S0167 Matryoshka

Matryoshka is capable of keylogging.[120][121]

G0045 menuPass

menuPass has used key loggers to steal usernames and passwords.[122]

S1059 metaMain

metaMain has the ability to log keyboard events.[123][124]

S0455 Metamorfo

Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.[125][126]

S1146 MgBot

MgBot includes keylogger payloads focused on the QQ chat application.[127][128]

S0339 Micropsia

Micropsia has keylogging capabilities.[129]

S1122 Mispadu

Mispadu can log keystrokes on the victim's machine.[130][131][132]

S0149 MoonWind

MoonWind has a keylogger.[133]

S0336 NanoCore

NanoCore can perform keylogging on the victim’s machine.[134]

S0247 NavRAT

NavRAT logs the keystrokes on the targeted system.[135]

S0033 NetTraveler

NetTraveler contains a keylogger.[136]

S0198 NETWIRE

NETWIRE can perform keylogging.[137][138][139][140][141]

S1090 NightClub

NightClub can use a plugin for keylogging.[142]

S0385 njRAT

njRAT is capable of logging keystrokes.[143][144][87]

G0049 OilRig

OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.[145][146]

S0439 Okrum

Okrum was seen using a keylogger tool to capture keystrokes. [147]

C0014 Operation Wocao

During Operation Wocao, threat actors obtained the password for the victim's password manager via a custom keylogger.[148]

S0072 OwaAuth

OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.[91]

S1050 PcShare

PcShare has the ability to capture keystrokes.[81]

S0643 Peppy

Peppy can log keystrokes on compromised hosts.[52]

G0068 PLATINUM

PLATINUM has used several different keyloggers.[94]

S0013 PlugX

PlugX has a module for capturing keystrokes per process including window titles.[149]

S0428 PoetRAT

PoetRAT has used a Python tool named klog.exe for keylogging.[150]

S0012 PoisonIvy

PoisonIvy contains a keylogger.[151][152]

S0378 PoshC2

PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[153]

S1012 PowerLess

PowerLess can use a module to log keystrokes.[154]

S0194 PowerSploit

PowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.[155][156]

S0113 Prikormka

Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[157]

S0279 Proton

Proton uses a keylogger to capture keystrokes.[117]

S0192 Pupy

Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.[158]

S0650 QakBot

QakBot can capture keystrokes on a compromised host.[159][160][161]

S0262 QuasarRAT

QuasarRAT has a built-in keylogger.[162][163]

S0662 RCSession

RCSession has the ability to capture keystrokes on a compromised host.[45][164]

S0019 Regin

Regin contains a keylogger.[165]

S0332 Remcos

Remcos has a command for keylogging.[166][167]

S0375 Remexi

Remexi gathers and exfiltrates keystrokes from the machine.[168]

S0125 Remsec

Remsec contains a keylogger component.[169][170]

S0379 Revenge RAT

Revenge RAT has a plugin for keylogging.[171][172]

S0240 ROKRAT

ROKRAT can use SetWindowsHookEx and GetKeyNameText to capture keystrokes.[173][174]

S0090 Rover

Rover has keylogging functionality.[175]

S0148 RTM

RTM can record keystrokes from both the keyboard and virtual keyboard.[176][177]

S0253 RunningRAT

RunningRAT captures keystrokes and sends them back to the C2 server.[178]

G0034 Sandworm Team

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[179]

S0692 SILENTTRINITY

SILENTTRINITY has a keylogging capability.[180]

S0533 SLOTHFULMEDIA

SLOTHFULMEDIA has a keylogging capability.[181]

S0649 SMOKEDHAM

SMOKEDHAM can continuously capture keystrokes.[182][183]

G0054 Sowbug

Sowbug has used keylogging tools.[184]

S0058 SslMM

SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.[185]

S0018 Sykipot

Sykipot contains keylogging functionality to steal passwords.[186]

S0467 TajMahal

TajMahal has the ability to capture keystrokes on an infected host.[187]

S0595 ThiefQuest

ThiefQuest uses the CGEventTap functions to perform keylogging.[188]

G0027 Threat Group-3390

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[91][189][190]

S0004 TinyZBot

TinyZBot contains keylogger functionality.[191]

G0131 Tonto Team

Tonto Team has used keylogging tools in their operations.[192]

S0094 Trojan.Karagany

Trojan.Karagany can capture keystrokes on a compromised host.[193]

S0130 Unknown Logger

Unknown Logger is capable of recording keystrokes.[31]

S0257 VERMIN

VERMIN collects keystrokes from the victim machine.[194]

G1017 Volt Typhoon

Volt Typhoon has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.[195]

S0670 WarzoneRAT

WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the GetAsyncKeyState Windows API.[196][197]

S0161 XAgentOSX

XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.[198]

S0248 yty

yty uses a keylogger plugin to gather keystrokes.[199]

S0330 Zeus Panda

Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.[200]

S0412 ZxShell

ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.[24][201]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0027 Driver Driver Load

Monitor for unusual kernel driver installation activity

DS0009 Process OS API Execution

Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.[2] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications

References

  1. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  2. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
  3. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  4. Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
  5. Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
  6. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  7. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  8. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  9. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  10. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  11. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  12. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  13. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  14. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  15. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  16. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  17. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  18. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  19. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  20. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  21. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  22. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  23. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  24. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  25. FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024.
  26. Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.
  27. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  28. Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023.
  29. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  30. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  31. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  32. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  33. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  34. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  35. Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018.
  36. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  37. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  38. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  39. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  40. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  41. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  42. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  43. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  44. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  45. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  46. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  47. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  48. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  49. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  50. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  51. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  52. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  53. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  54. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  55. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  56. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  57. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  58. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  59. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  60. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  61. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  62. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  63. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  64. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  65. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  66. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  67. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  68. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  69. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  70. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  71. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  72. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  73. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  74. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  75. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  76. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  77. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  78. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  79. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  80. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  81. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  82. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  83. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
  84. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  85. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  86. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  87. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  88. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  89. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  90. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  91. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  92. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  93. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  94. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  95. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  96. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  97. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  98. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  99. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  100. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  101. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  1. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  2. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  3. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  4. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  5. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  6. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  7. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  8. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  9. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
  10. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  11. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  12. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  13. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  14. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  15. Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022.
  16. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  17. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  18. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  19. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  20. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  21. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  22. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  23. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  24. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  25. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  26. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  27. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  28. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  29. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  30. Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
  31. SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024.
  32. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  33. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  34. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  35. Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
  36. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  37. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  38. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  39. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  40. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  41. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  42. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  43. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  44. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  45. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  46. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  47. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  48. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  49. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  50. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
  51. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  52. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  53. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  54. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  55. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  56. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  57. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  58. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  59. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  60. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  61. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  62. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  63. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  64. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  65. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  66. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  67. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  68. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  69. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  70. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  71. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  72. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  73. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  74. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  75. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  76. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  77. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  78. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  79. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  80. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  81. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
  82. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  83. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  84. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  85. Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  86. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  87. Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021.
  88. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
  89. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  90. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  91. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  92. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  93. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  94. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  95. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  96. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  97. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  98. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  99. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  100. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.