Thanks to visit codestin.com
Credit goes to attack.mitre.org

  1. Home
  2. Techniques
  3. Enterprise
  4. Masquerading
  5. Match Legitimate Resource Name or Location

Masquerading: Match Legitimate Resource Name or Location

ID Name
T1036.001 Invalid Code Signature
T1036.002 Right-to-Left Override
T1036.003 Rename Legitimate Utilities
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Resource Name or Location
T1036.006 Space after Filename
T1036.007 Double File Extension
T1036.008 Masquerade File Type
T1036.009 Break Process Trees
T1036.010 Masquerade Account Name
T1036.011 Overwrite Process Arguments

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.[1]

ID: T1036.005
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Containers, ESXi, Linux, Windows, macOS
Contributors: Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 2.0
Created: 10 February 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.[2]
G0018 admin@338

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[3]
G1024 Akira

Akira has used legitimate names and locations for files to evade defenses.[4]
S1074 ANDROMEDA

ANDROMEDA has been installed to C:\Temp\TrustedInstaller.exe to mimic a legitimate Windows installer service.[5]
S0622 AppleSeed

AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[6]
G0006 APT1

The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[7][8]
G0007 APT28

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[9]
G0016 APT29

APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.[10][11]
G0050 APT32

APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [12][13]
G0087 APT39

APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[14][15]
G0096 APT41

APT41 attempted to masquerade their files as popular anti-virus software.[16][17]
G1044 APT42

APT42 has masqueraded the VINETHORN payload as a VPN application.[18]

G1023 APT5

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a KB<digits>.zip pattern.[19]
G0143 Aquatic Panda

Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.[20]
S0475 BackConfig

BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.[21]
G0135 BackdoorDiplomacy

BackdoorDiplomacy has dropped implants in folders named for legitimate software.[22]
S0606 Bad Rabbit

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.[23][24]
S0128 BADNEWS

BADNEWS attempts to hide its payloads using legitimate filenames.[25]
S0534 Bazar

The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.[26][27][28]
S0268 Bisonal

Bisonal has renamed malicious code to msacm32.dll to hide within a legitimate library; earlier versions were disguised as winhelp.[29]

S1070 Black Basta

The Black Basta dropper has mimicked an application for creating USB bootable drivers.[30]
S0520 BLINDINGCAN

BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[31]
G0108 Blue Mockingbird

Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[32]
G0060 BRONZE BUTLER

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[33]
S1063 Brute Ratel C4

Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[34]
S1039 Bumblebee

Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.[35]
S0482 Bundlore

Bundlore has disguised a malicious .app file as a Flash Player update.[36]
C0017 C0017

During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[37]
C0018 C0018

For C0018, the threat actors renamed a Sliver payload to vmware_kb.exe.[38]
C0032 C0032

During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[39]
S0274 Calisto

Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[40]
G0008 Carbanak

Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[41]
S0484 Carberp

Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[42][43]
S0631 Chaes

Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.[44]
S0144 ChChes

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[45]
G0114 Chimera

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[46]
S1041 Chinoxy

Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.[47]
S0625 Cuba

Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.[48]

S1153 Cuckoo Stealer

Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.[49][50]
S0687 Cyclops Blink

Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.[51]
S1014 DanBot

DanBot files have been named UltraVNC.exe and WINVNC.exe to appear as legitimate VNC tools.[52]
S0334 DarkComet

DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[53]
G0012 Darkhotel

Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.[54]
S0187 Daserf

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[55]
S0600 Doki

Doki has disguised a file as a Linux kernel module.[56]
S0694 DRATzarus

DRATzarus has been named Flash.exe, and its dropper has been named IExplorer.[57]
S0567 Dtrack

One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[58]
S1158 DUSTPAN

DUSTPAN is often disguised as a legitimate Windows binary such as w3wp.exe or conn.exe.[59]
G1006 Earth Lusca

Earth Lusca used the command move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.[60]
S0605 EKANS

EKANS has been disguised as update.exe to appear as a valid executable.[61]
S0081 Elise

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[62]
G1003 Ember Bear

Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to java in victim environments.[63]
S0171 Felismus

Felismus has masqueraded as legitimate Adobe Content Management System files.[64]
G0137 Ferocious Kitten

Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host's "Public" folder.[65]
G1016 FIN13

FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.[66]
G0046 FIN7

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[67]
S0182 FinFisher

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[68][69]
S0661 FoggyWeb

FoggyWeb can be disguised as a Visual Studio file such as Windows.Data.TimeZones.zh-PH.pri to evade detection. Also, FoggyWeb's loader can mimic a genuine dll file that carries out the same import functions as the legitimate Windows version.dll file.[70]
G0117 Fox Kitten

Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.[71]
S0410 Fysbis

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[72]
G0047 Gamaredon Group

Gamaredon Group has used legitimate process names to hide malware including svchosst.[73]
S0666 Gelsemium

Gelsemium has named malicious binaries serv.exe, winprint.dll, and chrome_elf.dll and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.[74]
S1197 GoBear

GoBear is installed through droppers masquerading as legitimate, signed software installers.[75]
S0493 GoldenSpy

GoldenSpy's setup file installs initial executables under the folder %WinDir%\System32\PluginManager.[76]

S0588 GoldMax

GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[77][78]
S0477 Goopy

Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[12]
S0531 Grandoreiro

Grandoreiro has named malicious browser extensions and update files to appear legitimate.[79][80]
S0690 Green Lambert

Green Lambert has been disguised as a Growl help file.[81][82]
S0697 HermeticWiper

HermeticWiper has used the name postgressql.exe to mask a malicious payload.[83]
S0698 HermeticWizard

HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll.[83]
C0038 HomeLand Justice

During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[84][85]
S0070 HTTPBrowser

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[86]
S1022 IceApple

IceApple .NET assemblies have used App_Web_ in their file names to appear legitimate.[87]
S0483 IcedID

IcedID has modified legitimate .dll files to include malicious code.[88]
G1032 INC Ransom

INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.[89][90]
G0119 Indrik Spider

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[91]
S0259 InnaputRAT

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[92]
S0260 InvisiMole

InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.[93][94]
S0015 Ixeshe

Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[95]
S1203 J-magic

J-magic can rename itself as "[nfsiod 0]" to masquerade as the local Network File System (NFS) asynchronous I/O server.[96]
C0050 J-magic Campaign

During the J-magic Campaign, threat actors used the name "JunoscriptService" to masquerade malware as the Junos automation scripting service.[96]
G0004 Ke3chang

Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe, C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe, C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe, and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe.[97]
S0526 KGH_SPY

KGH_SPY has masqueraded as a legitimate Windows tool.[98]
G0094 Kimsuky

Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.[99]
S0669 KOCTOPUS

KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.[100]

S0356 KONNI

KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[101]
S1160 Latrodectus

Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.[102]
G0032 Lazarus Group

Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.[103][104]
S0395 LightNeuron

LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.[105]
S0582 LookBack

LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.[106]
G1014 LuminousMoth

LuminousMoth has disguised their exfiltration malware as ZoomVideoApp.exe.[107]
S0409 Machete

Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.[108][109]
G0095 Machete

Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.[110]
G0059 Magic Hound

Magic Hound has used dllhost.exe to mask Fast Reverse Proxy (FRP) and MicrosoftOutLookUpdater.exe for Plink.[111][112][113]
S1182 MagicRAT

MagicRAT stores configuration data in files and file paths mimicking legitimate operating system resources.[114]
S0652 MarkiRAT

MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.[65]
S0500 MCMD

MCMD has been named Readme.txt to appear legitimate.[115]
S0459 MechaFlounder

MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.[116]
G0045 menuPass

menuPass has been seen changing malicious files to appear legitimate.[117]
S0455 Metamorfo

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.[118][119]

S0084 Mis-Type

Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[120][121]
S0083 Misdat

Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[120][121]
G0069 MuddyWater

MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.[122][123][124]
G0129 Mustang Panda

Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.[125]
G1020 Mustard Tempest

Mustard Tempest has used the filename AutoUpdater.js to mimic legitimate update files and has also used the Cyrillic homoglyph characters С (0xd0a1) and а (0xd0b0), to produce the filename Сhrome.Updаte.zip.[126][127]
G0019 Naikon

Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.[128]
S0630 Nebulae

Nebulae uses functions named StartUserModeBrowserInjection and StopUserModeBrowserInjection indicating that it's trying to imitate chrome_frame_helper.dll.[128]
S0198 NETWIRE

NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.[129]
S1090 NightClub

NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.[130]
S1100 Ninja

Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.[131]
S0353 NOKKI

NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[132]
S0340 Octopus

Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.[133][134]
G0049 OilRig

OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.[135]
S0138 OLDBAIT

OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[136]
C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors renamed a malicious executable to rundll32.exe to allow it to blend in with other Windows system files.[137]
C0006 Operation Honeybee

During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.[138]

C0013 Operation Sharpshooter

During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as mssync.exe.[139]
C0014 Operation Wocao

During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.[140]
S0402 OSX/Shlayer

OSX/Shlayer can masquerade as a Flash Player update.[141][142]
S1017 OutSteel

OutSteel attempts to download and execute Saint Bot to a statically-defined location attempting to mimic svchost: %TEMP%\svjhost.exe.[143]
S0072 OwaAuth

OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.[144]
G0040 Patchwork

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[145] They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.[146]
S1050 PcShare

PcShare has been named wuauclt.exe to appear as the legitimate Windows Update AutoUpdate Client.[47]
S0587 Penquin

Penquin has mimicked the Cron binary to hide itself on compromised systems.[147]
S0501 PipeMon

PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.[148]
S0013 PlugX

PlugX has been disguised as legitimate Adobe and PotPlayer files.[149]
G0033 Poseidon Group

Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[150]
S1046 PowGoop

PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.[151]
G0056 PROMETHIUM

PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.[152][153]
S0196 PUNCHBUGGY

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[154][155]
S1032 PyDCrypt

PyDCrypt has dropped DCSrv under the svchost.exe name to disk.[156]
S0583 Pysa

Pysa has executed a malicious executable by naming it svchost.exe.[157]
S0269 QUADAGENT

QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.[158]
S1084 QUIETEXIT

QUIETEXIT has attempted to change its name to cron upon startup. During incident response, QUIETEXIT samples have been identified that were renamed to blend in with other legitimate files.[159]
S0565 Raindrop

Raindrop was installed under names that resembled legitimate Windows file and directory names.[160][161]
S0629 RainyDay

RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.[128]
S0458 Ramsay

Ramsay has masqueraded as a 7zip installer.[162][163]

S0495 RDAT

RDAT has masqueraded as VMware.exe.[164]

G1039 RedCurl

RedCurl mimicked legitimate file names and scheduled tasks, e.g. MicrosoftCurrentupdatesCheck andMdMMaintenenceTask to mask malicious files and scheduled tasks.[165][166]
S0125 Remsec

The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[167][168]
S0496 REvil

REvil can mimic the names of known executables.[169]
G0106 Rocke

Rocke has used shell scripts which download mining executables and saves them with the filename "java".[170]
S1078 RotaJakiro

RotaJakiro has used the filename systemd-daemon in an attempt to appear legitimate.[171]
S0446 Ryuk

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.[172]
S0085 S-Type

S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[120][121]
S1018 Saint Bot

Saint Bot has been disguised as a legitimate executable, including as Windows SDK.[173]
S1099 Samurai

Samurai has created the directory %COMMONPROGRAMFILES%\Microsoft Shared\wmi\ to contain DLLs for loading successive stages.[174]
G0034 Sandworm Team

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[175][176]
S1019 Shark

Shark binaries have been named audioddg.pdb and Winlangdb.pdb in order to appear legitimate.[52]
S0445 ShimRatReporter

ShimRatReporter spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font.[177]
S0589 Sibot

Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.[77]
G1008 SideCopy

SideCopy has used a legitimate DLL file name, Duser.dll to disguise a malicious remote access tool.[178]
G0121 Sidewinder

Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.[179]
G0091 Silence

Silence has named its backdoor "WINWORD.exe".[180]
S0468 Skidmap

Skidmap has created a fake rm binary to replace the legitimate Linux binary.[181]
S0533 SLOTHFULMEDIA

SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.[182]
S1035 Small Sieve

Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.[183]
S1124 SocGholish

SocGholish has been named AutoUpdater.js to mimic legitimate update files.[127]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.[184][185]
G0054 Sowbug

Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[186]
S0058 SslMM

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[187]
S0188 Starloader

Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.[186]
G1046 Storm-1811

Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.[188]
S1183 StrelaStealer

StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.[189]
S1034 StrifeWater

StrifeWater has been named calc.exe to appear as a legitimate calculator program.[190]
S0491 StrongPity

StrongPity has been bundled with legitimate software installation files for disguise.[152]
S1042 SUGARDUMP

SUGARDUMP has been named CrashReporter.exe to appear as a legitimate Mozilla executable.[191]
S0559 SUNBURST

SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.[161]

S0562 SUNSPOT

SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log.[192]

S0578 SUPERNOVA

SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.[193][194]
G1018 TA2541

TA2541 has used file names to mimic legitimate Windows files or system functionality.[195]
S0586 TAINTEDSCRIBE

The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.[103]
S1011 Tarrask

Tarrask has masqueraded as executable files such as winupdate.exe, date.exe, or win.exe.[196]

G0139 TeamTNT

TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.[197]
S0560 TEARDROP

TEARDROP files had names that resembled legitimate Window file and directory names.[198][161]
S0595 ThiefQuest

ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.[199][200]
S0665 ThreatNeedle

ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.[201]
S0668 TinyTurla

TinyTurla has been deployed as w64time.dll to appear legitimate.[202]
G1022 ToddyCat

ToddyCat has used the name debug.exe for malware components.[174]
S1201 TRANSLATEXT

TRANSLATEXT has been named GoogleTranslate.crx to masquerade as a legitimate Chrome extension.[203]

G0134 Transparent Tribe

Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.[204]
C0030 Triton Safety Instrumented System Attack

In the Triton Safety Instrumented System Attack, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.
S1196 Troll Stealer

Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.[205][75]
G0081 Tropic Trooper

Tropic Trooper has hidden payloads in Flash directories and fake installer files.[206]
G0010 Turla

Turla has named components of LunarWeb to mimic Zabbix agent logs.[207]
S0386 Ursnif

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[208]
S0136 USBStealer

USBStealer mimics a legitimate Russian program called USB Disk Security.[209]
G1047 Velvet Ant

Velvet Ant used a malicious DLL, iviewers.dll, that mimics the legitimate "OLE/COM Object Viewer" within Windows.[210]
G1017 Volt Typhoon

Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.[211][212][213]
G0107 Whitefly

Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[214]
S0141 Winnti for Windows

A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[215]
G0090 WIRTE

WIRTE has named a first stage dropper Kaspersky Update Agent in order to appear legitimate.[216]
S0086 ZLib

ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[120]

Mitigations

ID Mitigation Description
M1045 Code Signing

Require signed binaries and images.
M1038 Execution Prevention

Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.
M1022 Restrict File and Directory Permissions

Use file system access controls to protect folders such as C:\Windows\System32.

Detection

ID Data Source Data Component Detects
DS0022 File File Metadata

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
DS0007 Image Image Metadata

In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[217] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.
DS0009 Process Process Creation

Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exesvchost.exe, etc).There are several sub-techniques, but this analytic focuses on Match Legitimate Resource Name or Location only.

Note: With process monitoring, hunt for processes matching these criteria:

  • process name is svchost.exesmss.exewininit.exetaskhost.exe, etc.
  • process path is not C:\Windows\System32\ or C:\Windows\SysWow64\

Examples (true positive): C:\Users\administrator\svchost.exe

To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe

Analytic 1 - Common Windows Process Masquerading

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")
Process Metadata

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

References

  1. Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025.
  2. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  3. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  4. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
  5. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  6. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  7. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  8. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  9. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  10. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  11. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  12. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  13. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  14. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  15. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  16. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  17. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  18. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  19. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  20. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  21. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  22. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  23. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  24. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  25. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  26. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  27. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  28. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  29. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  30. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  31. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  32. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  33. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  34. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  35. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  36. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  37. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  38. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  39. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  40. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  41. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  42. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  43. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  44. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  45. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  46. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  47. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  48. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  49. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  50. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.
  51. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  52. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  53. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  54. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
  55. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  56. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  57. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  58. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  59. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  60. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  61. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  62. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  63. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  64. Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved November 17, 2024.
  65. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  66. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  67. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  68. FinFisher. (n.d.). Retrieved September 12, 2024.
  69. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  70. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  71. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  72. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  73. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  74. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  75. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  76. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  77. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  78. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  79. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  80. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  81. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  82. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
  83. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  84. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  85. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  86. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  87. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  88. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  89. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  90. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  91. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  92. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  93. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  94. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  95. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  96. Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
  97. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  98. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  99. Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.
  100. Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024.
  101. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  102. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  103. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  104. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  105. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  106. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  107. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  108. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  109. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  1. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  2. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  3. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  4. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  5. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
  6. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  7. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  8. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  9. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  10. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  11. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  12. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.
  13. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  14. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  15. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  16. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  17. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  18. Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
  19. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  20. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  21. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  22. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  23. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  24. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  25. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  26. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  27. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  28. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  29. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  30. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  31. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  32. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  33. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  34. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  35. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  36. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
  37. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  38. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  39. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  40. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  41. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  42. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  43. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  44. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  45. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  46. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  47. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  48. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  49. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  50. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  51. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  52. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  53. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  54. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  55. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  56. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  57. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  58. Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024.
  59. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  60. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  61. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  62. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
  63. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  64. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  65. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  66. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  67. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  68. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  69. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  70. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  71. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  72. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  73. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  74. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  75. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  76. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  77. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  78. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  79. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  80. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
  81. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  82. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  83. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  84. Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021.
  85. Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021.
  86. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  87. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  88. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  89. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  90. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  91. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
  92. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  93. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  94. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
  95. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  96. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  97. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  98. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  99. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  100. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  101. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  102. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  103. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  104. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  105. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  106. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  107. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  108. Docker. (n.d.). Docker Images. Retrieved April 6, 2021.