Search Again
APT32
No Description available.
OceanLotus
APT-C-00
APT 32
SeaLotus
APT-LY-100
+6
Target Countries
Singapore
Laos
India
UK
Cambodia
+19
Target Sectors
Manufacturing
Public Administration
National Security&International Affairs
Telecommunications
Retail
+3
Associated Malware/Software
OSX_OCEANLOTUS.D
osx.oceanlotus
win.salgorea
win.soundbite
elf.caja
+35
️Related CVEs
ATT&CK IDs:
T1095 - Non-Application Layer Protocol
T1027 - Obfuscated Files or Information
T1559 - Inter-Process Communication
T1569.002
T1049
+218
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1185 | Browser Session Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1115 | Clipboard Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1123 | Audio Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1568 | Dynamic Resolution |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1008 | Fallback Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1001 | Data Obfuscation |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1571 | Non-Standard Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1132 | Data Encoding |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1081 | Credentials in Files |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1539 | Steal Web Session Cookie |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1187 | Forced Authentication |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1503 | Credentials from Web Browsers |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1127 | Trusted Developer Utilities Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1130 | Install Root Certificate |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1222 | File and Directory Permissions Modification |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1014 | Rootkit |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1216 | System Script Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1124 | System Time Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1217 | Browser Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1120 | Peripheral Device Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1518 | Software Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1069 | Permission Groups Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1135 | Network Share Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1129 | Shared Modules |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1072 | Software Deployment Tools |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1559 | Inter-Process Communication |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1203 | Exploitation for Client Execution |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1030 | Data Transfer Size Limits |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1011 | Exfiltration Over Other Network Medium |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1029 | Scheduled Transfer |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1489 | Service Stop |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1496 | Resource Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1498 | Network Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1485 | Data Destruction |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1529 | System Shutdown/Reboot |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1561 | Disk Wipe |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1189 | Drive-by Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1072 | Software Deployment Tools |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1570 | Lateral Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1137 | Office Application Startup |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1525 | Implant Internal Image |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1176 | Software Extensions |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1060 | Registry Run Keys / Startup Folder |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1598 | Phishing for Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1589 | Gather Victim Identity Information |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1585 | Establish Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1608 | Stage Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
Total Count : 942
https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42
https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf
https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/
https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns
https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/
https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/
https://paper.seebug.org/1301/
https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://embeeresearch.io/ghidra-basics-shellcode-analysis/
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf
https://thehackernews.com/2022/05/malware-analysis-trickbot.html
https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise
https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/
https://threatvector.cylance.com/en_us/home/report-the-spyrats-of-oceanlotus.html
https://thedfirreport.com/2024/08/26/blacksuit-ransomware/
https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/
https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf
https://us-cert.cisa.gov/ncas/alerts/aa21-148a
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
https://isc.sans.edu/diary/28636
https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro
https://www.mandiant.com/resources/blog/alphv-ransomware-backup
https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/
https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf
https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/
https://www.malware-traffic-analysis.net/2021/09/29/index.html
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader
https://twitter.com/MBThreatIntel/status/1412518446013812737
https://www.infinitumit.com.tr/apt-35/
https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk
https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/
https://blog.bushidotoken.net/2024/09/the-russian-apt-tool-matrix.html
https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/
https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought
https://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/
https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf
https://www.youtube.com/watch?v=pIXl79IPkLI
https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/
https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html
https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf
https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e
https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf
https://unit42.paloaltonetworks.com/trigona-ransomware-update/
https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike
https://www.youtube.com/watch?v=YCwyc6SctYs
https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
https://embee-research.ghost.io/decoding-a-cobalt-strike-vba-loader-with-cyberchef/
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/
https://blog.exatrack.com/melofee/
https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/
https://asec.ahnlab.com/en/34549/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang
https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/
https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/
https://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/
https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf
https://www.recordedfuture.com/apt32-malware-campaign/
https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2
https://www.contextis.com/en/blog/dll-search-order-hijacking
https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
https://asec.ahnlab.com/en/31811/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://embee-research.ghost.io/ghidra-basics-shellcode-analysis/
https://twitter.com/GossiTheDog/status/1438500100238577670
https://twitter.com/ItsReallyNick/status/944321013084573697
https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html
https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack
https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671
https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2
https://www.antiy.net/p/analysis-of-the-attack-of-mobile-devices-by-oceanlotus/
https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7
https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine
https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950
https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/
https://www.hvs-consulting.de/lazarus-report/
https://securelist.com/the-sessionmanager-iis-backdoor/106868/
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/
https://www.mandiant.com/resources/apt41-us-state-governments
https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery
https://www.hhs.gov/sites/default/files/bazarloader.pdf
https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf
https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
https://twitter.com/cglyer/status/1480742363991580674
https://www.arashparsa.com/catching-a-malware-with-no-name/
https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/
https://blog.group-ib.com/apt41-world-tour-2021
https://blog.macnica.net/blog/2020/11/dtrack.html
https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/
https://twitter.com/alex_lanstein/status/1399829754887524354
https://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906
https://asec.ahnlab.com/en/56236/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.youtube.com/watch?v=FC9ARZIZglI
https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns
https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811
https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/
https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/
https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ
https://jp.security.ntt/tech_blog/appdomainmanager-injection
https://www.secureworks.com/research/threat-profiles/gold-drake
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://www.intrinsec.com/apt27-analysis/
https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ
https://noticeofpleadings.com/nickel/#
https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html
https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike
https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html
https://twitter.com/AltShiftPrtScn/status/1403707430765273095
https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html
https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/
https://www.mandiant.com/resources/sabbath-ransomware-affiliate
https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware
https://www.lac.co.jp/lacwatch/people/20180521_001638.html
https://blog.zsec.uk/cobalt-strike-profiles/
https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/
https://twitter.com/ItsReallyNick/status/945681177108762624
https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya
https://twitter.com/AltShiftPrtScn/status/1350755169965924352
https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/
https://www.cynet.com/understanding-squirrelwaffle/
https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
https://www.youtube.com/watch?v=ysN-MqyIN7M
https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
https://twitter.com/RedDrip7/status/1402640362972147717?s=20
https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors
https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot
http://www.secureworks.com/research/threat-profiles/gold-winter
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger
https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/
https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html
https://cert.gov.ua/article/703548
https://isc.sans.edu/diary/rss/26862
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://hitcon.org/2024/CMT/slides/Pirates_of_The_Nang_Hai_Follow_the_Artifacts_of_Tropic_Trooper,_No_One_Knows.pdf
https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them
https://www.tgsoft.it/news/news_archivio.asp?id=1568
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html
https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack
https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html
https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations
https://twitter.com/TheDFIRReport/status/1356729371931860992
https://isc.sans.edu/diary/rss/27176
https://twitter.com/MsftSecIntel/status/1522690116979855360
https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://www.prevailion.com/what-wicked-webs-we-unweave/
https://github.com/Still34/landing/blob/master/assets/slides/2024-08-Sailing%20the%20Seven%20SEAs.pdf
https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
https://thedfirreport.com/2022/09/26/bumblebee-round-two/
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis
https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection
https://www.mandiant.com/resources/evolution-of-fin7
https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/
https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html
https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments
https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf
https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf
https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
https://isc.sans.edu/diary/26752
https://www.inde.nz/blog/different-kind-of-zoombomb
https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/
https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam
https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021
https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf
https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
https://github.com/mdsecactivebreach/CACTUSTORCH
https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654
https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
https://www.secureworks.com/research/threat-profiles/bronze-president
https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
https://www.brighttalk.com/webcast/10703/261205
https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/
https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group
https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://blog.group-ib.com/opera1er-apt
https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection
https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20
https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html
https://security.macnica.co.jp/blog/2022/05/iso.html
https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/
https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7
https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/
https://attack.mitre.org/wiki/Software/S0157
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/
https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services
https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems
https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c
https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/
https://embeeresearch.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f
https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise
https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99
https://www.mandiant.com/resources/spear-phish-ukrainian-entities
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/
https://cert.gov.ua/article/37704
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/
https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services
https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf
https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia
https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/
https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g
https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/
http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle
https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot
https://securelist.com/it-threat-evolution-q2-2020/98230
https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf
https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/
https://twitter.com/MsftSecIntel/status/1535417776290111489
https://unit42.paloaltonetworks.com/atoms/obscureserpens/
https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/
https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html
https://www.slideshare.net/yurikamuraki5/active-directory-240348605
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
https://asec.ahnlab.com/ko/39682/
https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a
https://blog.cystack.net/word-based-malware-attack/
https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html
https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e
https://www.netresec.com/?page=Blog&month=2024-01&post=Hunting-for-Cobalt-Strike-in-PCAP
https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/
https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike
https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/
https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html
https://labs.bitdefender.com/2020/05/android-campaign-from-known-oceanlotus-apt-group-potentially-older-than-estimated-abused-legitimate-certificate/
https://www.malware-traffic-analysis.net/2021/09/17/index.html
https://redcanary.com/blog/grief-ransomware/
https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/
https://s.tencent.com/research/report/944.html
https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love
https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one
https://d01a.github.io/syscalls/
https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike
https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf
https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/
https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns
https://www.arashparsa.com/hook-heaps-and-live-free/
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/
https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf
https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/
https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/
http://blog.nsfocus.net/murenshark
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://www.mandiant.com/resources/unc2452-merged-into-apt29
https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book
https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/
https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware
https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/
https://cert.gov.ua/article/619229
https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/
https://cocomelonc.github.io/malware/2025/02/24/malware-tricks-45.html
https://twitter.com/Cryptolaemus1/status/1407135648528711680
https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/
https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes
https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
https://intel471.com/blog/conti-emotet-ransomware-conti-leaks
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/
https://twitter.com/swisscom_csirt/status/1354052879158571008
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/
https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
https://www.mandiant.com/media/12596/download
https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf
https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://twitter.com/vikas891/status/1385306823662587905
https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity
https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/
https://www.youtube.com/watch?v=C733AyPzkoc
https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/
https://awakesecurity.com/blog/catching-the-white-stork-in-flight/
https://community.riskiq.com/article/c88cf7e6
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/
https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/
https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt
https://isc.sans.edu/diary/rss/28664
https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/
https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/
https://www.youtube.com/watch?v=gfYswA_Ronw
https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/
https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/
https://www.cobaltstrike.com/support
https://twitter.com/elisalem9/status/1398566939656601606
https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/
https://twitter.com/redcanary/status/1334224861628039169
https://malwarelab.eu/posts/fin6-cobalt-strike/
http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf
https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/
https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper
https://intel471.com/blog/shipping-companies-ransomware-credentials
https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/
https://twitter.com/AltShiftPrtScn/status/1385103712918642688
https://explore.group-ib.com/htct/hi-tech_crime_2018
https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/
https://www.welivesecurity.com/2022/09/06/worok-big-picture/
https://hitcon.org/2023/CMT/slide/Unmasking%20CamoFei_An%20In-depth%20Analysis%20of%20an%20Emerging%20APT%20Group%20Focused%20on%20Healthcare%20Sectors%20in%20East%20Asia.pdf
https://securelist.com/cve-2024-30051/112618
http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664
https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive
https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf
https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/
https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf
https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics
https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv
https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/
https://www.secrss.com/articles/17900
https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/
https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md
https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf
https://twitter.com/felixw3000/status/1521816045769662468
https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/
https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/
https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware
https://www.secureworks.com/research/threat-profiles/bronze-vinewood
https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html
https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/
https://netresec.com/?b=214d7ff
https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/
https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html
https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf
https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_5_leon-chang_theo-chen_en.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection
https://github.com/sophos-cybersecurity/solarwinds-threathunt
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf
https://github.com/Apr4h/CobaltStrikeScan
https://mez0.cc/posts/cobaltstrike-powershell-exec/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://twitter.com/VK_Intel/status/1294320579311435776
https://www.secureworks.com/blog/ransomware-deployed-by-adversary
https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/
https://x.com/ItsReallyNick/status/944321013084573697
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf
https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf
https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/
https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/
https://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0
https://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike
https://www.zdnet.com/article/toyota-announces-second-security-breach-in-the-last-five-weeks/
https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/
https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my
https://censys.com/a-beginners-guide-to-hunting-open-directories/
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/
https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9
https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/
https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations
https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/
https://zero.bs/cobaltstrike-beacons-analyzed.html
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/
https://twitter.com/ffforward/status/1324281530026524672
https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e
https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/
https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/
https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html
https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure
https://twitter.com/Unit42_Intel/status/1458113934024757256
https://www.brighttalk.com/webcast/7451/462719
https://isc.sans.edu/diary/27308
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf
https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a
https://twitter.com/TheDFIRReport/status/1359669513520873473
https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/
https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx
https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran
https://www.youtube.com/watch?v=ftjDH65kw6E
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/
https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/
https://www.secureworks.com/research/samsam-ransomware-campaigns
https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b
https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html
https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/
https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors
https://www.lac.co.jp/lacwatch/report/20210521_002618.html
https://twitter.com/Unit42_Intel/status/1461004489234829320
https://isc.sans.edu/diary/rss/28934
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.youtube.com/watch?v=XfUTpwZKCDU
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/
https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf
https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021
https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489
https://securelist.com/apt-phantomlance/96772/
https://github.com/eset/malware-research/tree/master/oceanlotus
https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://github.com/gentilkiwi/mimikatz
https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py
https://x.com/ItsReallyNick/status/945681177108762624
https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html
https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine
https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/
https://github.com/danielbohannon/Invoke-Obfuscation
https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
https://www.reuters.com/article/us-cyber-attack-vietnam/vietnams-neighbors-asean-targeted-by-hackers-report-idUSKBN1D70VU
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf
https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites
https://blog.cobaltstrike.com/
https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia
https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/
https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/
https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/
https://asec.ahnlab.com/en/47455/
https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering
https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/
https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/
https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
https://asec.ahnlab.com/ko/19640/
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
https://www.ic3.gov/Media/News/2021/210823.pdf
https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/
https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders
https://thedfirreport.com/2022/03/07/2021-year-in-review/
https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/
https://thedfirreport.com/2020/10/08/ryuks-return/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east
https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/
https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf
https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/
https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/
https://www.ic3.gov/media/news/2020/200917-1.pdf
https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
https://www.secureworks.com/research/threat-profiles/tin-woodlawn
https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/
https://www.varonis.com/blog/hive-ransomware-analysis
https://www.youtube.com/watch?v=borfuQGrB8g
https://isc.sans.edu/diary/rss/28752
https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes
http://www.secureworks.com/research/threat-profiles/gold-franklin
https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html
https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment
http://www.secureworks.com/research/threat-profiles/gold-burlap
https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
https://www.cybereason.com/blog/operation-cobalt-kitty-apt
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf
https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike
https://attack.mitre.org/groups/G0011
https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/
https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware
https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/
https://connormcgarr.github.io/thread-hijacking/
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://community.riskiq.com/article/0bcefe76
https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://redcanary.com/blog/gootloader
https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/
https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux
https://www.riskiq.com/blog/analyst/oceanlotus/
https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/
https://www.mandiant.com/resources/defining-cobalt-strike-components
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks
https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html
https://asec.ahnlab.com/ko/56256/
https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom
https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage
https://www.ironnet.com/blog/ransomware-graphic-blog
https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts
https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/
https://www.mandiant.com/media/10916/download
https://www.codercto.com/a/46729.html
https://cocomelonc.github.io/malware/2025/01/19/malware-tricks-44.html
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/
https://isc.sans.edu/diary/rss/28448
https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html
https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/
https://youtu.be/_VZCocEFHgk?feature=shared
https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f
https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md
https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/
https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/
https://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
https://www.ic3.gov/Media/News/2021/210527.pdf
https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/
https://unit42.paloaltonetworks.com/operation-diplomatic-specter/
https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/
https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
https://boschko.ca/cobalt-strike-process-injection/
https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware
https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/
https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/
https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153
https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/
https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf
https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/
https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf
https://github.com/chronicle/GCTI
https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/
https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt
https://embee-research.ghost.io/shodan-censys-queries/
https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/
https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass
https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/
https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/
https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation
https://www.secureworks.com/research/threat-profiles/cobalt-hickman
https://www.secureworks.com/research/threat-profiles/gold-waterfall
https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/
https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
https://www.youtube.com/watch?v=6SDdUVejR2w
https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass
https://assets.virustotal.com/reports/2021trends.pdf
https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure
https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/
https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#
https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/
https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5
https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf
https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf
https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf
https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/
https://web.br.de/interaktiv/ocean-lotus/en/
https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups
https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists
https://www.malware-traffic-analysis.net/2023/10/03/index.html
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/
https://asec.ahnlab.com/ko/19860/
http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware
https://cert.gov.ua/article/339662
https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/
https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war
https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf
https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion
https://thedfirreport.com/2022/04/25/quantum-ransomware/
https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee
https://brica.de/alerts/alert/public/1258637/oceanlotus-on-asean-affairs/
https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
https://www.elastic.co/security-labs/grimresource
https://www.youtube.com/watch?v=WW0_TgWT2gs
https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/
https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
https://blog.group-ib.com/REvil_RaaS
https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt
https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/
https://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html
https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/
https://malware-traffic-analysis.net/2021/09/29/index.html
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/
https://attack.mitre.org/groups/G0050/
https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf
https://www.youtube.com/watch?v=LA-XE5Jy2kU
https://blog.talosintelligence.com/2021/05/ctir-case-study.html
https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks
https://www.bitsight.com/blog/emotet-botnet-rises-again
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
https://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://embeeresearch.io/shodan-censys-queries/
https://www.nextron-systems.com/2025/04/29/nitrogen-dropping-cobalt-strike-a-combination-of-chemical-elements/
https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf
https://www.istrosec.com/blog/apt-sk-cobalt/
https://redcanary.com/blog/getsystem-offsec/
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jul-Dec%202024%20Botnet%20Threat%20Update.pdf
https://www.mandiant.com/resources/russian-targeting-gov-business
https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf
https://experience.mandiant.com/trending-evil-2/p/1
https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf
https://m.threatbook.cn/detail/2527
https://www.cfr.org/interactive/cyber-operations/ocean-lotus
https://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf
https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730
https://wbglil.gitbook.io/cobalt-strike/
https://embee-research.ghost.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/
https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html
https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html
https://blog.group-ib.com/colunmtk_apt41
https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia
https://x.com/embee_research/status/1736758775326146778
https://redcanary.com/blog/intelligence-insights-december-2021
https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink
https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/
https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html
https://community.riskiq.com/article/f0320980
https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire
https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/
https://twitter.com/inversecos/status/1456486725664993287
https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx
https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos
https://attack.mitre.org/groups/G0034
https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022
https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/
http://www.secureworks.com/research/threat-profiles/gold-drake
https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
https://www.youtube.com/watch?v=GfbxHy6xnbA
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/
https://www.secureworks.com/research/darktortilla-malware-analysis
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east
https://x.com/embee_research/status/1737325167024738425?s=46
https://www.qurium.org/alerts/targeted-malware-against-crph/
https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b
https://www.telsy.com/download/5972/?uid=d7c082ba55
https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html
https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3
https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/
https://cyber.wtf/2022/03/23/what-the-packer/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/
https://attack.mitre.org/groups/G0096
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf
https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/
https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
https://skyblue.team/posts/scanning-virustotal-firehose/
https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
https://services.google.com/fh/files/misc/m-trends-2025-en.pdf
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://www.youtube.com/watch?v=y65hmcLIWDY
https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf
https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/
https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel
https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
https://blogs.blackberry.com/en/2022/01/log4u-shell4me
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf
https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
https://securelist.com/apt-luminousmoth/103332/
https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide
https://isc.sans.edu/diary/rss/27618
https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf
https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf
https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack
https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/
https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/
https://embee-research.ghost.io/ghidra-entropy-analysis-locating-decryption-functions/
https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728
https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html
https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef
https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://unit42.paloaltonetworks.com/cobalt-strike-team-server/
https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon
https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/
https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://malwarebookreports.com/cryptone-cobalt-strike/
https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7
https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks
https://www.sans.org/webcasts/contrarian-view-solarwinds-119515
https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html
https://blog.talosintelligence.com/warmcookie-analysis/
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf
https://www.secureworks.com/research/threat-profiles/gold-dupont
https://blog.xpnsec.com/exploring-mimikatz-part-1/
https://www.macnica.net/file/mpression_automobile.pdf
https://assets.stairwell.com/hubfs/Marketing-Assets/Stairwell-threat-report-The-origin-of-APT32-macros.pdf
https://blogs.blackberry.com/en/2021/11/zebra2104
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks
https://rules.emergingthreatspro.com/changelogs/suricata-5.0-enhanced.etpro.2019-12-05T23:38:02.txt
https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
https://thedfirreport.com/2021/05/12/conti-ransomware/
https://www.youtube.com/watch?v=YDtLmhw_nTo
https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/
https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718
https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
